Author name: Prayukth K V

According to these publications, the US is working on revamping the cybersecurity regulatory framework to move away from a regime that is currently based on voluntary threat assessment and management to one that is based on regulations enforced by the federal government. The move comes in wake of increasing cyberthreats to IT, IoT, and OT-based infrastructure emerging from the ongoing conflict in Eastern Europe among other factors.   US lawmakers and regulatory agencies have identified the following trends as reasons for concern:  New threats emerging from APT groups and actors connected to the conflict and other countries harboring adversarial intentions against the US   Lack of a disciplined approach to cybersecurity by businesses   Voluntary regulatory requirements are not being met   The tendency to attribute successful cyberattacks to the extraordinary skills of hackers and the groups they are part of   In the pandemic era, businesses that are now bouncing back from periods of low revenue and growth are now focusing on growth rather than cybersecurity measures to protect and sustain growth   The threat perception of businesses in certain sectors is not aligned to ground realities   Current discretionary measures are not encouraging businesses to address cybersecurity concerns on priority and treat them with the same level of seriousness as that of health and safety and environment-related priorities that are highly regulated   Such trends could lead to a complete overhaul of cybersecurity legislation and the US may even bring in sector-specific regulations to improve the cybersecurity posture of the US as a country by getting businesses and industries as a whole to shrink postural gaps through regulatory compliance measures.   Also Read: Is NIST working on a potential cybersecurity framework update? With improvements in malware development and payload delivery mechanisms, hackers are increasingly staying a step ahead of countermeasures. However, businesses that have multiple levels of cyberdefenses and operate with requisite levels of awareness and diligence often detect and prevent cyberattacks. Further, companies that have invested in building and operationalizing a comprehensive cyber governance regime internally and across their supply chains are at a clear advantage as compared to peers who are focused only on operational aspects and revenue.   Is a cybersecurity overhaul the way forward?  Governments in the UK, Singapore, India Australia, and UAE are working on some form of regulatory intervention to get businesses to pay more attention to cybersecurity. Governments in these countries are also facing the same challenges that the US government is facing in getting businesses to voluntarily adopt and comply with better cybersecurity practices and report incidents early. Legislations enacted by the US may also trigger similar legislation in other countries that are not considering any cybersecurity-related legislation at present.   Also Read: The state of OT and IoT cybersecurity in North America However, one factor that we need to consider while relying on regulations is the ever-changing threat landscape. Every fortnight we are seeing the emergence of new actors, threat vectors, breach tactics, and collaborations. Access to complex malware and multi-loaders is now easier than ever and we have seen a significant deterioration of the threat environment since 2020. Thus, in addition to regulatory mechanisms, there should also be a commitment to modify these regulations periodically to keep them relevant and aligned to the threat environment and other important dynamic factors that have a bearing on cybersecurity.   Regulations should also encourage businesses to collaborate on best practices at an industry or a peer-to-peer level on cybersecurity issues. To learn more about how to improve your compliance posture, download our compliance kits.  Join our upcoming webinar: Key Takeaways from the Sectrio’s Global Threat Landscape Assessment Report 2022 IoT and OT focused threat Intelligence feeds free for 15 days! Try it right now: Threat Intelligence Also Read: Why IoT Security is Important for Today’s Networks? We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.  

As per the findings of the latest edition of Sectrio’s IoT and OT threat landscape report, cyberattacks are on the rise. There has been a significant improvement in the quality of cyberattacks as well since 2020 (or in the days following the onset of the pandemic) as hacking tools that were formerly with state-backed threat actors became widely available. So while the hackers got a major upgrade, cyber defenses are still at least half a decade behind them. Little wonder that regulators are working on improving existing frameworks, regulations, and standards to add new layers to help organizations fight cybercriminals, digital adversarial elements, and hackers better. The National Institute of Standards and Technology (NIST) has joined this list. Recently it published an RFI calling for stakeholder inputs on two cybersecurity-related areas: The relevance of NIST’s existing cybersecurity framework (CSF) in terms of use, adequacy, and timeliness. Are there any challenges that stakeholders are facing in integrating this framework with other NIST resources?   What kind of supply chain cybersecurity measures are required for NIST’s National Initiative for Improving Cybersecurity in Supply Chains (NIICS)? Outlining the rationale behind the decision to update the framework, NIST, in the RFI, says that the current framework was last updated in April 2018 and the cybersecurity landscape has changed significantly since then. NIST, therefore, wishes to use the suggestions received to improve the framework and make it more relevant and useful. Though a direct reference to an update is not made but when one glances at the references to the antiquity of NIST CSF and the need for organizations to better manage their cybersecurity risks, it becomes clear that sooner or later these suggestions or rather the ones selected by NIST will be used to modify CSF in some manner in the days to come. At the very least, NIST may go ahead and published an addendum to the current version of the CSF. NIST has, in the RFI, provided a list of possible themes and topics to be addressed in the response to the RFI. The primary subjects include: The advantages and benefits of the CSF and how they can be measured Known challenges and concerns in using the CSF Any part of the CSF that needs change or should be deleted  In case NIST decides to modify the CSF, would it create backward compatibility issues?   In addition to the above, NIST has also sought inputs from stakeholders on the compatibility of CSF with other ‘risk management resources’ which have been made available since the publication of the framework in April. Specific topics on which NIST is seeking inputs include: Improving the compatibility or alignment of CSF with other NIST resources including NIST frameworks around risk management, privacy, and IoT cybersecurity  Organizations that are using non-NIST frameworks can share information on steps to better integrate with such frameworks What steps can be taken to increase the adoption of NIST CSF   Updating the NIST’s Online Informative References Program to cover new terminologies/concepts. This is something we have seen in the SEC’s proposed new cybersecurity reporting rules as well. With businesses running operations across geographies, new terms and concepts are created often and these get added to the vocabulary of certain businesses segments or geographies while evading use in others. NIST and SEC both intend to address the addition of such terms to improve comprehension. On the issue of supply chain cybersecurity, NIST is looking at addressing these areas through the suggestions received in the RFI: What cybersecurity gaps have businesses encountered while working on or managing supply chains How are such gaps being addressed by these businesses? How can NIST help such businesses in addressing such gaps and challenges?  NIST is viewing supply chain security as part of a larger effort to improve the overall cybersecurity posture of the US. Supply chain cybersecurity-related topics that NIST has identified for inputs include: Key cybersecurity challenges associated with supply chain risk management that the NIICS could potentially address; The strategies and tools that organizations are currently using to manage cybersecurity-related risks in supply chains; NIST may want to know if these are enough or some gaps could potentially threaten the success of the overall supply chain cybersecurity approach a business has adopted Current gaps associated with cybersecurity supply chain risk management and if any NIST resources are addressing such gaps? How the overall cybersecurity supply chain risk management could be addressed in an updated CSF. NIST’s continuing attention to CSF and supply chain cybersecurity is commendable. This new exercise will certainly help make CSF more aligned to the new cybersecurity realities that have emerged since the pandemic set in as well as the geopolitical tensions that have arisen in different parts of the world.  Sectrio encourages all stakeholders to participate in this effort by NIST. The RFI response deadline is April 25, 2022. More details on how to provide your suggestions and comments are available at this link.  If you need more information or any clarification about this RFI please reach out to: CSF-SCRM-RFI@nist.gov or Katherine MacFarland, National Institute of Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 20899; (301) 975-3359. To learn more about how to improve your compliance posture, download our compliance kits.  We have the right threat intelligence for your critical infrastructure. Try it right now: Threat Intelligence We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.  

The Securities and Exchange Commission (SEC) has proposed an amendment to enhance and standardize the compliance mandates surrounding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The new rules will require publicly traded companies to be more open and forthcoming about cybersecurity events and puts a framework in place to asses incidents and report them in a timely and comprehensive manner to investors.  What do the SEC’s new amendments cover?  The new set of proposals aims to remove all reporting ambiguities while identifying priority areas for clear communication with investors.      Here are key highlights of the proposed new rules:  Page 16/129 talks about the regulator (SEC) observing discrepancies in certain cybersecurity incidents that were reported to the media but were not disclosed to SEC. SEC has also observed that some publicly traded companies while disclosing cybersecurity risks in the relevant section of their annual reports were mixing information with unrelated disclosures leading to confusion or investors finding it hard to locate relevant information.   Further SEC notes that “Registrants’ disclosures of both material cybersecurity incidents and cybersecurity risk management and governance have improved since the issuance of the 2011 Staff Guidance and the 2018 Interpretive Release. Yet, current reporting may contain insufficient detail and the staff has observed that such reporting is inconsistent, may not be timely, and can be difficult to locate. We believe that investors would benefit from enhanced disclosure about registrants’ cybersecurity incidents and cybersecurity risk management and governance practices, including if the registrant’s board of directors has expertise in cybersecurity matters, and we are proposing rule amendments to enhance disclosure in those areas.”   SEC has noted with concern that many companies are underreporting or not reporting cybersecurity events at all. SEC therefore proposes to amend Form 8K (report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or SEC) to mandate listed companies to disclose information on a cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. The disclosure must cover the following    When the incident was discovered and whether it is ongoing;  A brief description of the nature and scope of the incident;  Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;  The effect of the incident on operations; and  Whether the company has remediated or is currently remediating the incident.  Forms 10-Q and 10-K to be amended to require registrants to provide updated disclosure when a previously known individually immaterial cyber incident turns material in aggregate    SEC proposes to amend Item 407 of regulation S-K for companies to disclose if their board of directors includes people with cybersecurity expertise   Proposed Item 407(j)(1)(ii) includes the following non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity:  Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;  Whether the director has obtained a certification or degree in cybersecurity; and  Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning  To determine if an incident is material or not SEC prescribes a through objective evaluation of the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors  Incident examples cited by SEC  An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the company’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;   An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;   An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant   Item 1.05 of Form 8-K mandates disclosure even in a situation in which a state law delay provision would excuse notification. There is a possibility a company would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law. Towards this, the proposed amendments clearly differentiate local and state reporting and reporting to SEC  Risk management and strategy: Item 106(b) of Regulation S-K proposes to require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy. The proposed rules would require disclosure concerning a company’s selection and oversight of third-party entities as well.  Proposed Item 106(c) would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.   The new rules according to SEC will benefit both investors and companies by offering timely standardized disclosures.   The proposing release has been published on SEC.gov and in the Federal Register. The comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website.    To learn more about how to improve your compliance posture, download our compliance kits.  We have the right threat intelligence for your critical infrastructure. Try it right now: Threat Intelligence We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.