2024年10月29日

Trends in US Cybersecurity Regulation

作者:

As cybersecurity rules proliferate, companies must navigate a maze of new, and often overlapping, proactive and reactive cybersecurity requirements and guidance. This Legal Update surveys new cybersecurity rules and regulations from the past year, including those from the SEC, FTC, FCC, FHA, NYDFS, FAA, FINRA, and CISA. While not an exhaustive list of requirements and developments, this Legal Update can serve as a quick guide to key regulatory developments across industries, particularly with respect to expanded incident reporting/disclosure requirements, or heightened security standards. As seen in the brief summaries below, these changes generally reflect the continuing focus on cybersecurity across a broad range of industries, the sustained regulatory interest in quick reporting of cyber incidents, and regulators’ shared interest in many of the same core security controls across diverse contexts.

While this update is focused on US law, there have also been many new cyber-related regulations across the globe. For example, on October 17, 2024, the European Commission adopted the Network and Information Security 2 Directive (EU 2022/2555) (“NIS2”), which sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities. Hong Kong has also proposed cyber legislation for critical infrastructure operations.

2024 has also brought new policy and regulatory activity on data sharing and other related areas that Mayer Brown has reviewed elsewhere. For instance, the year kicked off with the Department of Commerce’s proposed rule to “improve detection and prevention of foreign malicious cyber activity and prevent US services from being used against US interests” for Infrastructure-as-a-Service providers. Further, President Joseph Biden issued Executive Order 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data by Countries of Concern,” which will restrict certain transfers of US data to countries of concern to mitigate the risk of malicious use.

Expanded Incident Reporting / Disclosure

The past year has seen numerous new requirements relating to reporting or disclosing cybersecurity incidents, as outlined below. Generally speaking, these rules continue the trend of the reporting or disclosure of more detailed information about cyber incidents on shorter timelines.

SEC’s Cyber Disclosure Rule. The Securities and Exchange Commission’s (SEC) Rules on Public Company Cybersecurity Disclosures of Incidents and Processes (“Cyber Disclosure Rule”) requires companies to report material cybersecurity incidents and certain cybersecurity risk management processes in a standardized manner. The Cyber Disclosure Rule requires registrants to disclose information about a cybersecurity incident within four business days after the registrant makes a materiality assessment. The Cyber Disclosure Rule permits delay of the disclosure for national security or public safety reasons, but this requires approval from the US Attorney General.
FTC’s amendments to the Safeguards Rule. On May 13, 2024, the Federal Trade Commission’s (FTC) revisions to the Standards for Safeguarding Customer Information (the “Safeguards Rule”) went into effect. The Safeguards Rule applies to financial services companies that are subject to the FTC’s jurisdiction, and requires financial services companies to notify the FTC of a security breach involving the information of at least 500 consumers as soon as possible, but no later than 30 days after discovery. The Safeguards Rule requires notification for an acquisition of unencrypted customer information (which also includes unauthorized access).
HUD’s Significant Cybersecurity Incident Reporting Requirements. On May 23, the US Department of Housing and Urban Development (HUD) published Mortgagee Letter 2024-10 governing Significant Cybersecurity Incident (Cyber Incident) Reporting Requirements (“Cyber ML”). The Cyber ML requires FHA-approved mortgagees that experience a suspected Cyber Incident to report it to HUD within 12 hours of detection.
FCC’s Data Breach Reporting Requirements. The Federal Communications Commission’s (FCC) Data Breach Reporting Requirements FCC 23-111 (“Breach Notification Rule”) were adopted in December of 2023. The Breach Notification Rule requires telecommunication relay service providers and carriers to provide notice to the FCC, United States Secret Service, and Federal Bureau of Investigation as soon as practicable, but in no event later than seven business days after a determination a breach affects 500 or more customers or where fewer than 500 customers are impacted unless the carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. Further, customers must be notified no later than 30 days after reasonable determination of a breach (unless delayed by law enforcement).
CIRCIA’s Reporting Requirements. In April 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published the Notice of Proposed Rulemaking, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, to implement the requirements of that statute. Under the proposed rule, a broad range of covered entities would have to report a covered cyber incident within 72 hours from when the covered entity reasonably believes that the covered cyber incident has occurred, and report a ransom payment within 24 hours of the ransom payment having been disbursed. The reporting requirements for CIRCIA are expected to go into effect in 2026 after issuance of a final rule.

Heightened Security Standards

In addition to the incident-notification requirements, the last year has seen the continued adoption of broader cybersecurity regulations imposing cybersecurity standards on covered businesses. These new state and federal rules focus on many of the same areas as existing rules, such as multi-factor authentication (MFA), encryption, risk assessments, vulnerabilities management, and management of third-party cyber risk. Many of these comprehensive cybersecurity requirements also include new cybersecurity incident notification requirements as described above.

New York State Department of Health Cyber Regulations. On October 2, the New York State Department of Health (NYSDOH) adopted cybersecurity regulations governing hospitals in the state. These regulations require hospitals to implement certain security controls, such as MFA for external access to internal networks, risk-based authentication, annual risk assessments, and encryption of nonpublic information. They also require notification to the NYSDOH of a cybersecurity incident.
The Federal Aviation Administration Proposed Cyber Changes. The Federal Aviation Administration (FAA) proposed new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers on August 21. Among these changes were cybersecurity standards for designs of airplanes and supporting equipment, including a security-risk analysis to identify cybersecurity threats and mitigate identified vulnerabilities. The public comment period closed on October 21, with 17 comments having been received by the FAA.
New York Department of Financial Services Cyber Amendment. On November 1, 2023, the New York Department of Financial Services (NYDFS) published an amendment to its cybersecurity regulation. As we discussed in our Legal Update, this amendment included increased governance requirements and expanded notice and compliance certification requirements. Significant requirements involving incident response planning, governance, encryption of nonpublic information (“NPI”), asset inventories, and MFA are coming into effect in the coming year.
NAIC Model Law. In the past year, state insurance regulators including Illinois, Oklahoma, and Rhode Island adopted the NAIC Model Law, bringing the total to 26 state regulators as of October 3, 2024. The National Association of Insurance Commissioners published its Insurance Data Security Model Law (“NAIC Model Law”) in 2017, which was based on NYDFS’s cybersecurity regulation. The NAIC Model Law includes provisions for cybersecurity governance, oversight of third-party service providers, incident response plans, and enumerated security measures such as access controls and encryption of NPI. The NAIC Model Law also requires notification of cybersecurity events.
CSBS Model Law. The Conference of State Bank Supervisors previously published the first version of its Nonbank Model Data Security Law (“CSBS Model Law”) in February 2022. The second version was published in February 2024. It is based on the FTC Safeguards Rule and imposes requirements for safeguarding customer information and requires certain updates to a financial institution’s information security program. The CSBS Model law also requires notifying the state Commissioner in the case of a notification event. To date, a few states, such as Minnesota, have adopted the CSBS Model Law.
SEC Reg S-P. The SEC published amendments to Regulation S-P on June 21, which will require market participants such as broker-dealers, registered investment advisers, funding portals, and registered transfer agents to safeguard customer records and information and properly dispose of customer information. The amendments also require notification to affected individuals for cybersecurity incidents involving impact to their sensitive information.
FINRA Guidance. As we discussed in our October Legal Update, although the Financial Industry Regulatory Authority (FINRA) has not yet published its own cybersecurity rules, it has provided guidance for mitigating against third-party vendor cybersecurity risks, including performing risk assessments of third-party providers, implementing MFA for employees, implementing patches for high-risk vulnerabilities, and revising incident response plans to address third-party incidents.