Preparing to Comply With New Cybersecurity Requirements

Recent high-profile cybersecurity incidents have affected large numbers of everyday citizens and have catapulted cybersecurity into the legislative and regulatory spotlight. The U.S. government — along with governments, regulatory agencies and companies around the world — has joined efforts to increase oversight of these incidents. Congress recently passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) to require reporting of cyber incidents, and the Securities and Exchange Commission (SEC) has proposed a rule requiring publicly listed companies to report cybersecurity incidents to the SEC and disclose them to investors. Both requirements have important implications for risk management and legal compliance. 

Although CIRCIA and SEC regulations target cyberincident reporting, reporting is only one component of a larger framework for cyberincident readiness, response and remediation. Companies preparing to comply with new regulations can segment their preparation into three stages: (1) determining their baseline existing cybersecurity reporting capabilities, (2) identifying gaps to meet reporting requirements and (3) developing a road map to fill existing gaps. We are entering a new era in cybersecurity — one in which oversight of cybersecurity incidents is increasing. Organizations can benefit from establishing or fine-tuning cybercrisis management programs to help them prepare for the increased regulatory requirements.