The Latest US Cybersecurity Regulations, Crackdowns & Trends

In the past year we have seen fascinating shifts in government interest and oversight of cybersecurity. There has been a resurgence of governmental interest in proactive US cybersecurity regulations, as well as a sharp increase in law enforcement’s focus on cybercrime. Let’s look at the changes, proposed legislation, and how your organization can prepare.

The Cybercrime Crackdown

For way too long, ransomware operators and cybercriminal gangs went largely unchecked. In April of 2021, the Department of Justice (DOJ) created a new Ransomware and Digital Extortion Task Force designed to coordinate and prioritize the investigation and enforcement activities surrounding ransomware incidents.

Since then, the US has ramped up domestic and internal law enforcement efforts, resulting in warrants, raids and/or prosecutions of over a thousand cyber criminals. The international crackdown included a Trickbot leader, a SIM jacking group, state-sponsored espionage groups, and more. Recently, the US has collaborated with other countries to arrest members of the REvil group, one of the largest ransomware operations. In a surprising turn, some of the arrests were made in Russia, a former haven for cybercriminals. With the recent arrests in Russia attributed to pressure from the US, it’s clear that the US’s new stance of “if you come for us, we’re gonna come for you,” is changing the cybercrime landscape.

Upcoming US Cybersecurity Regulations Changes Your Organization Should Watch

Keep an eye on emerging legislative and US cybersecurity regulations and trends, and consider whether any of these changes could impact any of your long-term business or cybersecurity initiatives:

1. US Cybersecurity regulations are expanding for many organizations.
   1. US government agencies and their contractors. A 2021 Executive Order mandated that government agencies and their supply chain providers tighten their cybersecurity. It requires compliance with NIST framework requirements and makes once optional inspections mandatory. You can find more details on these changes in this blog. In addition, Federal Hearings are also underway to update the Federal Information Security Management Act (FISMA) These updates will help further define roles and policies for government agencies and their contractors in order to implement stronger cybersecurity practices. The DOJ has also alerted organizations that they will step in and prosecute government suppliers who are not meeting their contractual cybersecurity requirements.
   2. Banks and bank service providers. As of April 1, 2022, US banks that are regulated by OCC, Federal Reserve or FDIC are required to report significant cybersecurity notification incidents to their regulatory agency “as soon as possible” within 36 hours. This rule also requires bank service providers that provide covered services to banking organizations to report any “computer security incident” that results in impairment or likely impairment of four hours or more to a bank’s operations, processes, services, business or will pose a threat to the US financial stability. For more details on this new regulation and requirement, watch our video on bank and bank service provider notification rules.
   3. Pending cybersecurity notification legislation for all organizations. The US Senate recently passed the Strengthening American Cybersecurity Act that if passed by the House, will require organizations that are considered part of the US critical infrastructure to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours.
   4. Pending changes for healthcare organizations. It is widely anticipated that the 2022 changes to HIPAA will include policy updates on the speed and ways people can access PHI, the fees that can be charged, and more.
2. Privacy regulations are increasing. From the ground-breaking European GDPR regulations to the California Consumer Privacy Act (CCPA), privacy legislation is becoming an increasing concern. In 2021 Virginia and Colorado passed privacy legislation, and more than 25% of US states have privacy legislation under consideration. California’s upgraded California Privacy Rights Act (CPRA) goes into effect in 2023 and adds additional privacy measures to the original CCPA. There’s also buzz about the privacy implications of employee monitoring systems, especially with BYOD devices, AI bias concerns, and biometric data rights. In fact, several states already have pending legislation to establish regulations around the use or collection of biometric data. As your organization makes decisions on how to move forward with technology innovations or data use and storage, you’ll want to keep a close eye on any state and US cybersecurity regulations and trends.
3. Regulations and rules aimed at quashing ransomware. From the Colonial Pipeline to the Kaseya attacks, the US government has been cracking down on ransomware groups and ramping up US cybersecurity regulations in response. To decrease the number of ransomware attacks, NIST released a framework for ransomware risk management. 2021 also saw increasing pressure from government agencies for organizations to stop paying ransoms and heightened pressure for organization to report incidents to the FBI. The global crackdown on ransomware operators is changing the landscape, with some ransomware gangs charging higher ransoms to a smaller number of targets, while others have shifted to targeting individual computers with inexpensive ransoms.
4. The FTC declared its intent to prosecute companies that do not take steps to mitigate known vulnerabilities. In January of 2022, the FTC issued a press release on the importance of patching the Log4J exploit (read more and get Log4j patch directions here). This release also includes the impactful statement that “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Organizations will need to increase their emphasis on timely patching (read this blog on patching tips) or face potential legal consequences.

As the US cybersecurity regulations evolve, the ripple effects will be felt by all organizations. Staying aware of these trends can help your organization make informed decisions as you consider new business initiatives and how to prioritize your cybersecurity spending.

If you need help understanding these changes, or optimizing your policies and procedures to be compliant, please contact us. Our experienced team is ready to help!