Mandatory cybersecurity is coming, according to details published by Slate of the Biden Administration’s National Cybersecurity Strategy now circulating in Washington. The document, which is expected to be approved in the coming weeks, details significant, meaningful changes in the way the United States approaches cybersecurity that every business owner needs to understand.
Mandatory Cybersecurity Is Coming to Some Sectors
Over the last few decades, as business owners know, cybersecurity has been voluntary. Business owners faced costly liability for failing to secure customer data, including the costs of credit monitoring and lawsuits, but there were no cybersecurity regulations or mandates. Government relied on conscience and customer pressure to convince business owners to do the right thing.
In recent years, the failure of the voluntary cybersecurity model has been plain. Cyber attacks have reached record highs each year. The most brazen attacks have gone after municipal government systems and what the Federal Government defines as “critical infrastructure”: pipelines, water supplies and electrical systems. The new guidelines present a direct response to the failure of voluntary compliance, and while their initial reach is limited, they point to a future of growing government oversight and regulation.
There are two main components to the Biden Administration plan:
- The United States Government will take direct action against cyber criminals. For the first time, offensive cyberattacks, conducted under the supervision of the FBI’s National Cyber Investigations Joint Task Force. Organizations that conduct repeated attacks against U.S. targets, or that attempt to infiltrate critical infrastructure will now face retaliation designed to degrade and destroy their capabilities. This is, essentially, a declaration of cyber war on hackers.
- Mandatory cybersecurity requirements will apply to organizations with critical infrastructure, including banking, utilities, telecommunications and emergency management. In areas where the Biden Administration lacks the authority to impose mandatory cybersecurity via an executive order, it is expected to seek Congressional authorization to do so.
Every U.S. Business Will Be Affected
The new U.S. government approach to cybersecurity reveals frustration at the current state of cybersecurity defenses. Although it will target critical infrastructure initially, these regulations will eventually impact any organization that conducts business online or uses the Internet for communications.
Directly and in the short term, any business that works with or supplies an organization subject to these rules will be required to follow them as well. Expect compliance with to be part of any service or sales contract for businesses that support, supply or collaborate with critical-infrastructure organizations. Law firms and managed service providers will be among those facing new regulations before the end of 2023.
Over the long term, the standards developed to protect critical infrastructure will be handed down to all businesses and likely enforced at the Federal level. Those standards are not currently known, but based on FTC Safeguards Rule compliance, they are likely to include end-to-end encryption of all data, regular employee training and penetration testing and restrictions on how and where data can be stored. Some level of certification or accreditation for cybersecurity oversight is also likely. Business owners in some sectors, including banking, mortgages and real estate appraisals, already must file compliance paperwork, along with third-party vendors who support these businesses. Those requirements will eventually extend to all businesses and will present particular problems for those who develop their own software, apps or websites.
Businesses must begin to prepare now for tighter cybersecurity regulations, which will fall into three categories:
- Hardened Infrastructure. All systems will need to be secured and all data will need to be encrypted. Passwords will need to be strong, and two-factor authentication is likely to become mandatory.
- Employee Training: Cyber security awareness and anti-phishing training will be required on an annual basis. Employee response testing may be a requirement as well.
- Breach Monitoring and Response: Businesses will be required to monitor for data loss and intrusions, and to have written policies to respond to cyber attacks, which will include notification requirements both for law enforcement and customers.
By taking a comprehensive approach to cybersecurity now, businesses will find it easy to pivot to any new mandatory cybersecurity requirements. Businesses that already have some level of security in place may find it helpful to employ a Virtual CISO to review threat readiness and compliance, if only to establish a relationship with a cybersecurity professional in the event that new regulations require one.
Protect Now provides complete cybersecurity training and compliance support for small- and mid-sized businesses, specializing in the real estate, legal, managed hosting and municipal sectors. Our services can be customized to meet your specific needs and to work with legacy systems and decentralized operating environments. Contact us online or call us at 1-800-658-8311 to speak to a cybersecurity professional.