Contributed By FTI Consulting
At a federal level, there are several laws and regulations related to cybersecurity, data breaches, and incident response, but most are sector and state-specific and not designed for general application. These include the Payment Card Industry (PCI) Data Security Standard (DSS), the Gramm-Leach-Bliley Act (GLBA), the Defense Foreign Acquisition Regulatory Supplement (DFARS) Compliance Assessment, the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA), the New York Department of Financial Services (DFS) Cybersecurity Requirements, and the Federal Information Security Modernization Act (FISMA), to name just a few. These laws and rules have varying event notification and incident response requirements, including:
Understanding the fragmented and complex regulatory landscape can be challenging, but by prioritising cybersecurity and building resilience, organisations will be better prepared to ensure compliance. Regular programme assessments, training, practicing incident response, and updating protections based on an evolving threat landscape will not only significantly mitigate cyber-risks, but also help keep pace with regulation. Demonstrating that real efforts around cybersecurity are regularly occurring will help regulators view organisations impacted by a cybersecurity incident more favourably than those who are willingly negligent.
Various agencies, both state and federal, enforce data protection and cybersecurity laws. These groups include the Securities and Exchange Commission (SEC), the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), the Department of Justice (DOJ), the New York State Department of Financial Services (NYDFS), and attorney generals. Penalties and consequences for not having proper cybersecurity protections implemented, or for reporting failures, can result in fines, lawsuits, and sanctions.
Generally speaking, data breaches involve information being accessed or compromised by an unauthorised party. The information is often personal, but it can also extend to proprietary or confidential data – eg, valuable software code. Cybersecurity incidents are much broader and can include ransomware or distributed denial-of-service attacks, to misinformation campaigns and “deepfake” propaganda.
In the United States, the key regulators and government agencies include but are not limited to:
From a broad perspective, regulators and government agencies have the authority to conduct investigations stemming from their own determinations or based on violation complaints and reports of cybersecurity and privacy incidents. Conducting proactive audits, requesting information on cybersecurity measures, issuing subpoenas, and ultimately, imposing penalties and fines are all within the purview of many of these regulators and agencies.
The administration and enforcement process followed by regulators and authorities varies by agency and jurisdiction. Applicable governing bodies have the ability to determine appropriate paths forward, and informal resolutions are a common outcome of violations.
Details regarding key regulators, their jurisdictions, and their enforcement powers can be found in 1.2 Regulators.
***
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
While there is not a federal cybersecurity law in the United States that is applicable to every organisation, there are sector and state-specific regulation.
There are, however, federal laws such as the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which is a federal US law that was enacted in 2018. The CLOUD Act addresses cross-border and privacy concerns regarding data specific to law enforcement investigations and is intended to protect individual rights regarding their information, while ensuring law enforcement can continue to pursue criminals. Although a US-based law, the CLOUD Act is applicable to foreign governments as well.
For additional context, please see 1.1 Laws.
Law enforcement involvement is often critical during incident response, especially in situations where the illegal transfer of funds has occurred. However, law enforcement and regulatory bodies are different entities and choosing to collaborate with law enforcement does not supersede the need to maintain compliance with applicable regulation. This demonstrates the importance of seeking the advice of legal counsel to help determine the extent of collaboration with governmental organisations, with the goal of resolving the incident.
Organisations impacted by a cybersecurity incident (eg, business email compromise or ransomware) can report these events to the FBI’s Internet Crime Complaint Center (IC3). However, best practices encourage establishing relationships with federal, state, and local law enforcement ahead of a cybersecurity incident. This will reduce delays in determining who to contact, while in the midst of a crisis.
Please also see comments under 7.1 Required or Authorised Sharing of Cybersecurity Information.
The main difference between operating under a national system and a subnational approach is that more onus is put on organisations to achieve compliance with various requirements from a sectoral perspective. Instead of a comprehensive, single framework that combines various cybersecurity regulations, such as the General Data Protection Regulation (GDPR) in the EU, in a subnational environment, organisations must identify which regulation is applicable and take steps to ensure requirements are met, despite potential overlaps. Enforcing potential infractions is also a differentiator, as subnational approaches have numerous agencies with the authority to impose penalties.
A range of new regulatory requirements have been introduced across industries, requiring impacted organisations to comply. These requirements can vary widely, as can the outcomes the regulators are looking to achieve. Taking a piecemeal approach to compliance is no longer an option. Instead, new operating models that aggregate regulatory requirements to take a resource-focused and holistic approach is booming a necessity. Individuals other than the Chief Information Security Officer and their team are needed to support regulatory requirement efforts, including the general counsel and risk and compliance teams. Regulators and organisations want the same outcome – resilient organisations and a secure society – so collaboration is key.
Please see comments under 11.1 Further Considerations Regarding Cybersecurity Regulation.
Please see comments under 1.1 Laws.
Please see comments under 1.2 Regulators.
Please see comments under 7.1 Required or Authorised Sharing of Cybersecurity Information.
Please see comments under 1.2 Regulators.
Please see comments under 1.2 Regulators.
Please see comments under 1.2 Regulators.
There are several frameworks that are considered industry standard best practices by organisations and regulators alike.
Payment Card Industry (PCI) Data Security Standard (DSS)
PCI DSS is a set of security control objectives that raise the cybersecurity bar for companies that accept, process, store, or transmit payment card data, thus making it harder for cybercriminals to steal.
ISO 27001
Developed by the International Organization for Standardization (ISO), this international information security framework provides guidance regarding information security management systems (ISMS) and how they can be created, operated, maintained, and improved, with the goal of protecting critical assets and adhering to regulatory requirements.
NIST Cybersecurity Framework (CSF)
Created by National Institute of Standards and Technology (NIST), this framework provides five focus areas (identify, protect, detect, respond, recover) to improve risk management processes and overall cybersecurity posture.
CIS Critical Security Controls (CIS Controls)
Developed by the Center for Internet Security (CIS), these best practices help enhance overall cybersecurity posture through simplifying threat protection strategies, complying with regulation, practicing cyber hygiene, and aligning cybersecurity and business goals.
Please see comments under 3.1 De Jure or De Facto Standards.
In the United States, certain regulation exists, such as the Health Insurance Portability and Accountability Act (HIPAA), which requires that written information security plans be developed. HIPAA also requires impacted organisations to have incident response plans in place. Different industries face sector specific regulation, such as cybersecurity rules published by the New York Department of Financial Services, which all covered entities must meet. Although not legally mandated, organisations who make ransomware payments can face potential implications, for example, if the threat actors are on a sanctioned entities list.
While not a legal requirement, various organisations provide recommendations aimed at improving cybersecurity protections and response capabilities, such as National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was updated to version 2.0 in February 2024. NIST, and similar US agencies, publish standards for cybersecurity best practices, which include specific guidelines, such as implementing multi-factor authentication.
Please see comments under 1.4 Multilateral and Subnational Issues.
Please see comments under 1.1 Laws.
Please see comments under 1.1 Laws.
Please see comments under 7.1 Required or Authorised Sharing of Cybersecurity Information, specifically regarding the Cybersecurity and Infrastructure Security Agency (CISA)
The Computer Fraud and Abuse Act (CFAA) is a US law that has been amended and updated several times since being enacted in 1986 and can be useful in preventing denial of service attacks. The Act prohibits purposeful unauthorised computer access and is often used to prosecute cybercrimes.
Please refer to 5.6 Security Requirements for IoT.
See 3.3 Legal Requirements and Specific Required Security Practices.
What constitutes a reportable data security incident, breach, or cybersecurity event largely depends on applicable regulation or specific industry standards. A data security incident, breach, or cybersecurity event is generally defined as unauthorised access to networks, systems, or devices that compromises the integrity of sensitive information or significantly interrupts business operations. Understanding exact definitions is important. For example, the Securities and Exchange Commission (SEC) has cybersecurity rules that require organisations to report “material” cybersecurity incidents and data breaches within four days. This is a subjective concept, however, and is not specific to the SEC. Broad definitions could result in uncertainty and the risk of non-uniform treatment of cybersecurity incidents.
More formally, the National Institute of Standards and Technology (NIST) defines a cybersecurity incident as “[a]n occurrence that (1) actually or imminently jeopardises, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies”.
The data elements covered in a data security incident, breach or cybersecurity event involve sensitive or confidential information, including personally identifiable information (PII), protected health information (PHI), financial records, proprietary business information or intellectual property, credentials, and metadata.
The systems covered in a data security incident or cybersecurity event include servers, applications, network infrastructures, databases, endpoints, monitoring tools, cloud-based platforms, and back-ups.
In the United States, the Food and Drug Administration (FDA) released guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submission”. This guidance allows the FDA to require that medical device manufacturers “demonstrate reasonable assurance that the device and related systems are cybersecure”.
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
The NERC CIP framework consists of a series of standards designed to govern, oversee, and enhance the security of the Bulk Electric System (BES) within North America (the continental United States; the Canadian provinces of Alberta, British Columbia, Manitoba, New Brunswick, Nova Scotia, Ontario, Quebec, and Saskatchewan; and the Mexican state of Baja California Norte). Focused on the cybersecurity dimensions of the BES, these standards establish a comprehensive cybersecurity infrastructure for pinpointing and safeguarding essential assets critical to the dependable and effective distribution of electricity across the North American BES.
Federal Energy Regulatory Commission (FERC) Order No 848 and CIP 013-1, CIP 010-3, CIP 005-6
FERC Order No 848 and CIP 00806
A unified set of requirements specific to IoT do not yet exist, but the guidelines and frameworks included in 3.1 De Jure or De Facto Standards, are applicable and offer guidance on how to protect IoT devices and mitigate corresponding cybersecurity risks.
Software providers should ensure that cybersecurity is considered from the onset and addressed at every stage of development, versus trying to ensure a fully baked product is secure. While not specific to software, the guidelines and frameworks included in 3.1 De Jure or De Facto Standards are applicable and offer guidance on how to secure the software development life cycle.
Please see comments under 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.
Please see comments under 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.
Key Cybersecurity Tools
In today's interconnected digital landscape, cybersecurity defences are paramount to safeguarding sensitive information and mitigating evolving cyber threats. When network monitoring or cybersecurity defensive measures involve the processing of personal data, it becomes imperative to adhere to relevant obligations governing data protection and privacy. This necessitates not only a commitment to compliance with applicable regulations, but also a principled approach that prioritises cybersecurity and privacy and ensures the ethical and transparent use of monitoring technologies.
Utilising network monitoring tools, organisations detect and analyse network traffic for suspicious activities like unauthorised access attempts, malware communications, or data exfiltration. Email monitoring tools play a crucial role in scanning inbound and outbound emails for phishing attempts, malicious attachments, or suspicious links, thus mitigating the risk of email-based threats. Additionally, regular monitoring of website traffic and activities is essential for identifying and responding to potential cybersecurity incidents, such as unauthorised access attempts, SQL injections, or website defacement. Deployment of data loss prevention (DLP) solutions ensures monitoring and control of sensitive data movement within the network, thereby ensuring compliance with regulatory requirements and protecting against data breaches. Deep packet inspection (DPI) technologies facilitate the inspection and analysis of packet-level data to identify and block malicious or unauthorised traffic, providing enhanced cybersecurity measures against advanced threats.
Data Privacy Considerations
Organisations must ensure that network monitoring practices and tools do not infringe upon the privacy rights of individuals. Monitoring activities should align with applicable laws and regulations, with consideration given to cybersecurity and privacy concerns. Unauthorised surveillance of users’ personal communications should be prohibited, unless explicitly authorised for legitimate security or compliance purposes. Organisations should maintain transparency regarding their network monitoring activities, informing employees and users about the types of monitoring conducted and the purposes of the monitoring.
Further, organisations should ensure that their network monitoring practices comply with relevant regulations, such as HIPAA or the PCI DSS, depending on the nature of the data being monitored. Establishing ethical guidelines to govern the use of network monitoring tools and practices is essential. Additionally, mechanisms for oversight and accountability should be established to oversee the use of network monitoring tools and ensure adherence to established policies and procedures.
The intersection of cybersecurity and privacy/data protection raises several critical issues that revolve around balancing the safeguarding of sensitive information with respecting privacy rights of individuals. A critical issue is the need for robust cybersecurity measures, which often involve extensive data collection and surveillance, and individuals’ right to privacy. Many cybersecurity defensive measures, such as deep packet inspection and email monitoring, involve monitoring practices that may impact individuals’ privacy. Balancing the need for effective threat detection with the protection of personal privacy is a significant challenge.
Organisations often retain and utilise vast amounts of data collected through cybersecurity measures for various purposes, including threat intelligence analysis and incident response. Prolonged retention and secondary use of this data may impact privacy concerns when personal information is involved.
Compliance with data protection and privacy regulations adds another layer of complexity to the intersection of cybersecurity and privacy. Organisations must navigate a complex regulatory landscape, ensuring that their cybersecurity practices align with the requirements of regulations, while also effectively mitigating cyber threats.
Maintaining transparency regarding cybersecurity practices and obtaining informed consent from individuals affected by monitoring activities are essential principles for upholding privacy rights. However, achieving transparency and obtaining meaningful consent in the context of cybersecurity measures can be challenging, particularly when real-time threat detection and response are prioritised.
In navigating the intersection of cybersecurity and data privacy protection, it is important to carefully consider these critical issues. Emphasising transparent and ethical cybersecurity practices is key to effectively mitigating cyber threats while respecting individuals’ rights to privacy and data protection.
In the ever-evolving cybersecurity threat landscape, collaboration and information sharing have become indispensable tools in the fight against malicious threat actors. Across industries, organisations recognise the importance of pooling resources and expertise to enhance their collective resilience against cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA) facilitates the exchange of cybersecurity-related information between private sector entities, government agencies, and other stakeholders through its Automated Indicator Sharing (AIS) service. Under CISA and their AIS service, organisations share cyber threat indicators and defensive measures in real-time. This sharing enables a more comprehensive understanding of the threat landscape and facilitates timely responses to cyber-incidents. When sharing information and resources, organisations can enhance their ability to detect, prevent, and respond to cyber threats, ultimately improving the overall resilience of the cybersecurity ecosystem.
In response to the rapidly evolving cybersecurity landscape, Information Sharing and Analysis Centers (ISACs) were established by a US Presidential directive. These sector-specific organisations serve as pivotal nerve centres for encouraging information and cyber-intelligence sharing among industry peers. Through ISACs, organisations within various sectors collaborate to exchange vital intelligence on both physical and cyber threats, as well as best practices for mitigation.
There has been a recent rise in enforcement, litigation, and settlements stemming from large-scale data breaches, most notably against fintech companies, cryptocurrency companies, and third-party vendors servicing some of the largest financial institutions. These events have led to increased focus by federal and financial services regulators, resulting in the introduction of new cybersecurity rules, such as the New York Department of Financial Services Part 500, guidance from the Securities and Exchange Commission, the “Final Rule” enacted by the Office of the Currency Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve.
Financial regulators have levied multi-million-dollar fines on companies whose alleged lax cybersecurity led to consumer financial losses. Additionally, regulators have sued private sector entities for causing financial losses to their constituents. More recently, the New York Attorney General sued a global bank for inadequate cybersecurity and anti-fraud protocols, which had led to millions of dollars in losses for New York account holders.
See 8.1 Regulatory Enforcement or Litigation.
As a result of a popular file transfer software being exploited in 2023 by threat actors, which resulted in the compromise of sensitive information for millions of people, multiple lawsuits were filed. Some of the suits contain negligence and breach of contract claims for failing to properly protect personal information.
A data breach at a credit bureau company in 2017 that compromised the personal information of more than 100 million people resulted in a class action lawsuit and ultimately a settlement with US agencies and states, including the Federal Trade Commission and the Consumer Financial Protection Bureau. As part of the settlement, the credit bureau was responsible for paying more than USD400 million to those impacted by the breach.
Some of the latest changes to the SEC’s cybersecurity rules and NYDFS Part 500 rules have requirements related to elevated oversight and risk assessments.
The SEC, specifically, requires publicly traded companies to disclose:
The New York Department of Financial Services 23 NYCRR 500 requires that entities that fall in their Class A category, base their cybersecurity programme on their risk assessment. This risk assessment will have to conduct independent audits of its programme. Further, these rules require that each covered entity designate a Chief Information Security Officer to retain responsibility for compliance. The CISO is required to report in writing at least annually to the covered entity’s senior governing body on the entity’s cybersecurity programme, including on material cybersecurity issues. The senior governing body should exercise oversight of the covered entity’s cybersecurity programme.
Class A companies are those with at least USD20 million in gross annual revenue in each of the last two fiscal years in New York State and either:
Today, pre-transaction due diligence includes cybersecurity and data privacy elements. Utilising industry standards such as the CIS Critical Controls Framework, companies can identify gaps and develop a prescriptive implementation roadmap to bolster cybersecurity maturity of the target company.
In July 2023, the Securities and Exchange Commission adopted new cybersecurity rules impacting any public company doing business in the United States. The aim of these rules is to inform investors and strengthen abilities regarding cybersecurity and incident reporting. A main element of the rules is that organisations are required to report material cybersecurity incidents and data breaches within four days. Further, on a quarterly basis, impacted organisations also need to provide details regarding incidents that were previously disclosed.
Major Cyber Threats
In an era defined by rapid technological advancements and global interconnectivity, the intricate relationship between geopolitical tensions and cyber-risk has emerged as a critical concern for American business operations. As seen in previous times of global tension, both state and non-state actors alike capitalise on instability and uncertainty to exploit vulnerabilities, advance political objectives, conduct espionage, and take advantage of financial opportunities. Organisations are encouraged to collaborate with national agencies such as the FBI when issues threatening nation-state cybersecurity arise.
In addition to national security threats, ransomware remains a top concern for organisations in the United States. Ransomware actors continue to seek increasingly creative and aggressive tactics to coerce victims into meeting ransom demands. The double extortion model has evolved to triple extortion, where after stealing and encrypting data, cyber criminals both demand a ransom and threaten the organisation’s customers or partners. Threat actors will directly contact employees and customers, often threatening exposure of private information, to increase payment urgency. The latest iteration of coercion strategy involves leveraging compliance reporting requirements: threat actors amplify pressure by notifying a regulator that they have compromised the victim, before the victim can report the incident themselves. By targeting an organisation’s legal obligation to report cybersecurity incidents, cyber criminals can add a layer of urgency and complexity to their demands. Companies faced with a ransomware attack must not only consider the immediate operational and reputational impact of the attack, but also the potential legal and regulatory consequences.
Artificial Intelligence
As businesses across the United States hurry to implement artificial intelligence (AI) into their processes and business models amidst the technology’s rapid rise, the risks posed must be fully evaluated. As with any new technology, reliability concerns are an issue, with AI and machine learning models only being as accurate as the information they receive. Threat actors may intentionally target data model sources to generate inaccurate information. AI also raises privacy concerns around sensitive and consumer information. If an AI model is not properly configured or implemented, there are risks of unintentionally release of the sensitive data used in the model. In January of 2023, the National Institute of Standards and Technology (NIST) released an AI risk management framework to assist organisations with the secure implementation and management of AI systems. As the NIST cybersecurity framework is the standard for many organisations, it is reasonable that the NIST AI framework will become the expectation for secure AI development and implementation across the United States.
Additionally, generative AI, or AI capable of creating images, text, and synthetic data, has the potential to fuel sophisticated cyber-attacks. Threat actors can use generative AI to create deepfakes, spread misinformation, and easily write malicious code, allowing threat actors with limited technical skills to execute advanced attacks. The advent of generative AI technologies has brought about new avenues for threat actors, with the development of malicious tools. These AI chatbots have been listed for sale across various dark web marketplaces, offering a “blackhat” alternative to ChatGPT and other AI chatbots designed to operate under strict ethical limitations. Specifically engineered for illicit purposes, these tools are tailored to assist in a range of malicious activities including automated phishing and social engineering attacks, facilitating fraud and scams, creating malware, and accessing the dark web.
Cybersecurity Insurance
Cybersecurity insurance has grown in popularity for businesses of all sizes across the United States, but the market remains disrupted as cyber-attacks become more frequent and costly. Rates are increasing and insurance companies are looking more closely at the cybersecurity measures organisations have in place before agreeing to coverage. In addition to traditional cyber-insurance, organisations are also beginning to consider director and officer (D&O) liability insurance, which protects individuals, in addition to the organisation, in the event of a cyber-incident. An increasing focus on individual accountability when it comes to cybersecurity has led to legal troubles for several executives, and new regulations including the SEC cybersecurity rules and the NYDFS Part 500 cybersecurity rules place greater emphasis on board and executive involvement in cybersecurity protections, leaving more liability on individuals in the event of an organisational cybersecurity incident.
555 12th St NW STE 700
Washington, DC 20004
USA
+1 (202) 312-9100
+1 (202) 312-9101
www.fticonsulting.com/about/contact-us www.fticonsulting.com/