New Cybersecurity Regulations for US Businesses

Written By Charlotte Gerrish

It is said that in 2021, 1 in 2 users in the US had their accounts hacked and 53.35 million people were affected by cybercrime just in the first half of 2022 alone. However, 9 out of 10 US businesses aren’t insured against cyber attacks. 

The U.S. Securities and Exchange Commission (SEC) recognises that as companies become more global and complex, cyber security threats will follow through more sophisticated and developed intrusion, denial of service attacks, misconduct and misuse by insiders. In short, cyber threats are a huge risk to US businesses and something needs to be done to protect them.
As such, the SEC has made proposals for new cybersecurity regulations. The new regulations will aim to strengthen protection and mitigate cyber risks. Organisations will also need to make fundamental changes to address cybersecurity risks within their business. 

Who Needs to Follow the New Cybersecurity Regulations?

According to the SEC, the new requirements will affect the following organisations:
  • Broker-dealers
  • Clearing agencies
  • Major security-based swap participants
  • The Municipal Securities Rulemaking Board
  • National securities associations
  • National securities exchanges
  • Security-based swap data repositories
  • Security-based swap dealers
  • Transfer agents (collectively, “Market Entities”) 

What Are the Cybersecurity Regulation Proposals?

Under the proposed Rule 10, the above types of businesses will be required to do the following to enhance cybersecurity practices:

1. Incident Reporting

Market entities (those businesses affected) will need to report cybersecurity incidents promptly. These include significant breaches that could impact investors or the market generally. This reporting obligation aims to improve transparency and ensure businesses act quickly when providing critical information. Market entities would provide the SEC with electronic notice of significant cybersecurity incidents.

2. Cybersecurity Policies and Procedures

The regulations also require companies to establish and maintain comprehensive cybersecurity policies and procedures. This includes implementing safeguards to protect sensitive data, conducting regular risk assessments, and developing incident response plans. Market entities will also need to review and assess the design and effectiveness of their cybersecurity policies at least annually to make sure they still reflect changes and developments in cyber threats.

3. CISCO Accountability

Companies will need to appoint a Chief Information Security Officer (CISO) who will be in charge of overseeing and implementing cybersecurity policies. 

Why Are Cybersecurity Regulations Being Put in Place?

Due to the frequency and severity of continued cyber threats, incidents seriously affect business markets. The SEC wants to inform investors, insurers and market participants that companies are “fit for a digital age”. The US wants to ensure greater investor protection so that they are not deterred from investing in the US market. As such it will be an obligation for certain companies to have required standards of protection against cyber threats that could compromise the value of businesses and leave them vulnerable to data exposure.
The EU Commission recently announced their newly proposed Cyber Solidarity Act, which is being introduced to protect against increased threats of cyberattacks across the EU. The US has a slightly different incentive for improving cybersecurity protection compared to this. However, it is clear that countries around the world are realising that cyber security is vital to the productivity and profitability of companies, along with protecting individual rights. 

Five Ways the New Regulations May Affect US Businesses

The proposed SEC cybersecurity regulations may affect US businesses in the following ways:

1. Increased resource allocation for cybersecurity

Businesses will need to find ways of developing robust cybersecurity policies and procedures to comply with the regulations. This may involve hiring specialised cybersecurity experts to advise and assist with creating policies and introducing cyber protections into everyday business life. It may also involve training staff to be aware of threats and having a digital lawyer on hand to understand legal requirements. Companies will also need to invest in advanced cybersecurity technologies, conduct regular risk assessments, and establish incident response plans.

2. Reporting Obligations

The regulations will impose additional administrative burdens on businesses, as they will have a duty to report cybersecurity incidents promptly. It is therefore important that companies have dedicated members of staff who will monitor the risks and act quickly in case of a threat. 

3. Business Reputation

Cyber threats can really impact a business financially and can tarnish its reputation with its customers. The SEC will require companies to publicly disclose information about their cybersecurity protections, providing investors with greater transparency. This will inevitably enhance business reputations as they will be seen as more reliable and trustworthy, allowing investors to feel more secure investing. In the future, it may be that companies are able to form a competitive advantage over rivals by having a more bulletproof and transparent cyber security policy. 

4. Legal and financial liabilities

Businesses will be massively impacted if they fail to comply with the proposed regulations. Noncompliance could lead to legal liabilities and financial penalties. 

5. Third-party risk checks

The SEC recognises that many cyber threats can be caused as a result of business partners like third-party providers or those within an organisation’s supply chain. Weaknesses in third-party companies such as suppliers or stakeholders can impact connecting businesses. For example, if a company has a data breach or becomes a victim of a ransomware attack, the businesses that they work with can be put at risk also as their data may be leaked or their client information could be breached. 
As such, companies may need to increase their third-party risk management strategies to ensure that other businesses they work with have the correct protections in place. This could be an additional layer to the risk assessment process.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.
Charlotte Gerrish
Previous

France’s Data Protection Regulator Proposes AI Regulation Plan
Next

What is Contract Drafting Automation?