It’s often said that regulations can’t keep up with the pace at which technology changes—but that doesn’t mean the regulators and organizations that design them aren’t trying their hardest. In fact, the societal ripple effects of more frequent and increasingly damaging cyberattacks and data breaches and a series of high-profile incidents of platform misuse has seen the regulatory hammer begin to fall — hard.
Since just about every company is powered by software and technology these days, this has made cybersecurity a top priority for organizations everywhere. That’s putting a lot of pressure on cybersecurity leaders to level up their governance, risk, and compliance programs.
Here are five looming cybersecurity regulations — from the state level all the way up to the global level — that cyber risk leaders should start preparing for right now:
1. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
In March 2022, the U.S. SEC issued the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requirements. This proposed regulation would apply to public companies, so be on the lookout if you recently IPO’d.
Under this SEC requirement, public companies must share their governance abilities for cybersecurity, including:
- Which board members have cybersecurity expertise
- The processes they have in place to educate their board on cyber risks
- How their business strategy addresses cyber risks
- Ensuring they can report cybersecurity incidents within four business days of discovering them
- How they’re sharing updates on reported cybersecurity incidents
These requirements primarily target the boards of publicly-traded companies, but it isn’t a bad idea to do this with the rest of your business, too. Make sure you educate all of your employees — not just your board — on cyber risks, so you’re protected at every level of your organization.
This requirement hasn’t become law yet, but it’s expected to go into effect in April 2023.
2. Cybersecurity Maturity Model Certification (CMMC) program
The CMMC is a new Department of Defense rule that will likely land in May 2023. This program requires any DoD contractor to certify that their cybersecurity controls are meeting federal requirements.
While this program only applies to your organization if you work with the Department of Defense, we included it on this list because it signals a significant trend: Government agencies, large enterprises, and other organizations are no longer willing to take claims that an organization is taking cybersecurity seriously at face value — they want to see proof.
We expect this trend will only grow, which is why it’s a smart idea to document and be able to provide evidence of all of your cyber controls right now. When you need control documentation, a platform like LogicGate tracks everything for you automatically and lets you easily share proof of your cybersecurity controls and implementation with your cyber insurance provider, vendors, or customers.
3. Executive Order 13984
Issued under the Trump Administration, Executive Order 13984 requires any infrastructure as a service (IaaS) company to verify the identities of their customers. The goal is to spot nefarious foreign actors that use U.S.-based IaaS solutions to commit crimes.
Businesses operating under an IaaS model should work with their GRC teams to comply with these reporting expectations within the first two quarters of the year, as the rule will go into effect in June 2023.
4. California Consumer Privacy Act (CPRA)
CCPRA isn’t all that new, but enforcement of this strict consumer privacy law will go into effect in July 2023. CCPRA is similar to Europe’s General Data Protection Regulation in that it grants consumers some level of control over how their personal data is handled, including the right to know what a business has collected about them, how that data used, the ability to opt out of allowing a business to use their information, and the ability to request that it be deleted, among other rights.
Though the law technically only applies to residents of California, its implications will have a much broader impact since nearly every company in the world has customers located in the most populous state in the world’s largest economy. Violations can easily tally into the millions of dollars. In particular, businesses that engage in digital advertising and use consumer data to fuel their programs need to pay particular attention to this law.
Now is the time for businesses with customers or employees in California to double-check your data collection policies — including your ability to delete data and ensure non-discrimination — to ensure your company is compliant.
5. American Data Privacy and Protection Act (ADPPA)
The ADPPA is essentially the federal version of the CCPA. Currently, the ADPPA is sitting with the House of Representatives, but it’s not on the legislative agenda. While we might not see movement in 2023, businesses need to plan for ADPPA rules coming through eventually. You may need to make changes to your data handling practices to:
- Protect minors against targeted ads
- Collect only essential data
- Properly dispose of data
- Honor all data deletion requests within 30 days
In the meantime, your business can prepare for ADPPA by keeping an eye on privacy and cybersecurity regulations across different state lines. Organizations still have to contend with different laws on a state-by-state basis, which will make your GRC programs more complex in 2023.
Don’t let cybersecurity regulations catch you off-guard
Regulations exist for good reasons, but they can still cause headaches — or worse — for your business. Work with your legal and compliance departments to ensure you’re prepared to meet the requirements of coming cybersecurity regulations this year.
If these regulations are keeping you up at night, a modern GRC platform like LogicGate can give you greater peace of mind. Get a demo now to see how LogicGate can help you stay in compliance with any cybersecurity requirements.