US banks’ cybersecurity breach reporting

The impact of new cybersecurity incident reporting rules on US banks will be significant. The rules mean US banks must notify federal regulators of any cybersecurity incidents within 36 hours of discovering them. Security staff will have to ensure proper technical, administrative, and physical safeguards are in place to discover computer-security incidents and have policies and procedures to determine whether they rise to the level of a notification incident. They will also have to maintain appropriate regulatory points of contact so that the agency can be contacted quickly if required.

Co-operation on supply chain security

Governments worldwide, including the US, France, and the UK, are starting to take supply chain security seriously and cooperate to prevent supply chain attacks. In May 2021, the US government issued an executive order to enhance supply chain security following a series of cyberattacks, including the SolarWinds network management tools attack in December 2020, which affected up to 18,000 organisations.

The US executive order mandated developing security standards for software sold to the US government to address vulnerabilities in software supply chains, including requiring developers to provide greater visibility into their software. In the UK, the government’s Cyber Security Breaches Survey 2021 found that just 12% of businesses have reviewed cybersecurity risks posed by their suppliers, and 5% have done this for their wider supply chain. A key concern is the low recognition of supplier risk: many organisations are often unclear about how their suppliers’ cybersecurity was linked to their own security.

Greater international cooperation is now on the cards to combat threats. In November 2021, following a meeting with French President Emmanuel Macron, US Vice President Kamala Harris said the US would sign up to a framework offered by the French government for cooperation on cyber and supply chain security.

GlobalData Strategic Intelligence

US Tariffs are shifting - will you react or anticipate?

Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.

By GlobalData

Learn more about Strategic Intelligence

Mandatory disclosure of cyberattacks

The US Securities and Exchange Commission (SEC) and the US Senate are stepping up the rules on the mandatory disclosure of cyberattacks. It follows a call for more robust reporting rules after the 2021 series of ransomware attacks against the Colonial Pipeline, meat processor JBS, and software company Kaseya, among others.

The new rule proposed by the SEC in March 2022 would force public companies to disclose cyberattacks within four days, along with periodic reports about their cyber-risk management plans. Specifically, the proposed rule would amend reporting requirements to include cybersecurity incident disclosure  “within four business days after the registrant determines that it has experienced a material cybersecurity incident.”

In March 2022, the US Senate also unanimously passed the Strengthening American Cybersecurity Act of 2022. It would, among other things, require critical infrastructure operators and federal agencies to report cyberattacks and ransomware payments.

The gradual changes in disclosure thinking follow a call from Microsoft president Brad Smith for mandatory disclosure of cyberattacks. Smith urged US lawmakers to impose obligations on companies and organisations to report any cyberattacks they face to better safeguard the country from incidents like the breach of SolarWinds systems.

EU cybersecurity legislation

Creating new laws to deal with cybersecurity is a challenge for one country. It is even more difficult to introduce them in 27 countries. A new EU draft law, NIS2, sets out tighter cybersecurity obligations regarding risk management, reporting obligations, and information sharing. The law will introduce new rules across the member states of the EU to improve the security of networks and information systems.

EU countries would have to meet stricter supervisory and enforcement measures and harmonise their sanctions regimes. The requirements include incident response, supply chain security, encryption, and vulnerability disclosure, among other provisions. The directive also establishes a framework for better cooperation and information sharing between authorities and member states and creates a European vulnerability database.

The original European cybersecurity directive was set up in 2017, but EU countries all implemented it differently, leading to insufficient cybersecurity levels. There are still several issues to be resolved under NIS2, including reporting obligations in the case of a cyber incident. Once agreed upon, the law is expected to come into effect by 2024.

Consumer software security standards

The US government wants consumers to care more about whether their internet-connected devices are hackable or not. It wants to move beyond increasing cyber defences in critical industries to trying to change how people think about cybersecurity. It remains to be seen if other countries will copy the move.

The effort emerged from President Biden’s cybersecurity executive order in May 2021, and it was pioneered by the US National Institute of Standards and Technology (NIST). NIST plans to create a certificate programme that verifies that internet-connected devices meet basic cyber standards, such as accepting software patches and allowing users to control what information the devices collect and share about them.

This is an edited extract from the Cybersecurity – Thematic Research report produced by GlobalData Thematic Research.