A wave of new privacy and disclosure requirements from regulatory bodies has left cybersecurity teams grappling with liability and struggling to achieve compliance. These stiffer regulations, crafted with ambiguous language and vague guidelines, have created confusion and uncertainty among cybersecurity professionals.
One recent example of the challenges presented by unclear regulatory language is the Security and Exchange Commission’s (SEC) guidelines on cyber incident disclosure. Cybersecurity expert Adam Shostack has highlighted the misinterpretation of these rules, particularly in relation to the timing of reporting material breaches. Shostack emphasizes that transparency is important but notes that disclosure should happen within four days of determining a material breach, not within four days of discovering a breach.
To address the complexities of navigating these new regulations, Shostack will join a panel of experts including Mike Hintze, Daniel P. Cooper, and Leslie R. Katz at Black Hat USA. Their presentation, titled “Hot Topics in Cyber and Privacy Regulation,” aims to provide guidance on understanding and complying with the slew of new cyber regulations.
While some of the vagueness in cyber regulations is necessary, Shostack believes that the cybersecurity industry must take a proactive role in shaping these rules. He suggests that if industry professionals find the standards too open-ended, they should approach industry groups and lobbyists to advocate for more precise guidelines.
Katz, an attorney and former tech executive, supports Shostack’s viewpoint and emphasizes the importance of technical guidance in rulemaking discussions. Without cybersecurity expertise, regulatory bodies like the SEC are limited to using punishment as a means of enforcement, rather than providing meaningful guidance and education.
Katz also points to the SEC’s recent criminal action against individual SolarWinds executives in response to the company’s 2020 breach as an example of the SEC’s efforts to regulate through enforcement. She sees this as a warning to the cybersecurity community, highlighting the need for increased vigilance and rapid incident response.
The panel at Black Hat USA aims to cover various topics related to cyber and privacy regulations, including US privacy law, European Union regulations on artificial intelligence, the EU-US Data Protection framework, and best practices for engaging with the compliance and rulemaking process.
Amidst ongoing regulatory uncertainty, Shostack emphasizes the importance of close collaboration with legal and compliance experts. He suggests that organizations should rely on technical standards such as those provided by the National Institute of Standards and Technology, the Cybersecurity Framework, or the Secure Software Development Framework as a starting point for achieving compliance and building a robust cybersecurity posture.
In conclusion, the increasing number of privacy and disclosure requirements from regulatory bodies has created challenges and confusion for cybersecurity teams. The lack of clarity in regulatory language and guidelines has led to misinterpretation and hindered compliance efforts. The cybersecurity community is called upon to actively participate in shaping these regulations and providing technical guidance. Collaboration with legal and compliance experts is vital in navigating the complex landscape of cyber regulations.