Key Cybersecurity Regulatory Takeaways from 2023

2023 has furnished an onslaught of data breaches, smashing 2022’s numbers, and putting an exclamation point on the need for companies of every size to invest in cybersecurity. By September 2023, there were already 20% more data breaches in the US than in the entirety of 2022. Probably most alarming is that 98% of all organizations have a relationship with at least one vendor that has been breached in the last two years.

In an extensive study of the 2023 data breach landscape, MIT professor Stuart E. Madnick states that ransomware attacks reached “alarming levels” and that they’re now more “sophisticated and aggressive.” Hackers are more organized, forming ransomware groups, and are also far more likely to release breached data to the public, increasing the risk to consumers as well.

The “all-time-high” number of attacks has prompted a clampdown by authorities as regulators attempt to bring the mayhem under control. Organizations need to know about the latest regulatory trends to stay on top of cybersecurity needs and also to avoid being fined by new regulations that are becoming ever stricter.

New disclosure rules are now in place

The SEC adopted new rules that make it mandatory for publicly listed companies to disclose “material” cybersecurity incidents within four business days of discovering them.

Although many companies were already disclosing such breaches, the new regulations mean these disclosures will follow a standard format that provides investors with all the essential information they need about the incident.

Disclosures notices must contain information about:

• Any “material” elements to the “nature, scope, and timing of the incident.”
• Any “material” impact the breach has on the company, including financial impacts and its operations.

The new rules also mandate that companies must report annually on:

• Their processes “for assessing, identifying, and managing material risks from cybersecurity threats,” as well as any effects these cybersecurity events might have, including past incidents.
• The role of management and the board of directors regarding their oversight of cybersecurity risks, and how these are managed.

Similar to what ESG (environmental, social, and corporate governance) regulations have done to raise investor awareness of company ESG practices, the new cybersecurity regulations will enforce accountability for cybersecurity preparedness. Management will now have to answer publicly for what it’s doing (or not doing) to prevent data breaches and to recover from them. 

Even private companies should take heed of the SEC’s guidance. The purpose of the guidelines is to reduce the epidemic of data breaches and protect consumers. Recovery costs and regulatory fines can be steep for all companies, but data breaches can be especially disastrous for small companies because they don’t have the financial resources or the reputation to bounce back easily.

Key lesson: Taking cybersecurity seriously is more important than ever. The relatively short window of disclosure means that organizations must have a robust detection process in place to ensure an incident is detected and reported quickly, while also being able to demonstrate their investment in building cyber resiliency.

Ransomware group files SEC complaint against victim

In a twist of events reminiscent of the 1960s show The Twilight Zone—the ransomware gang Alphv/BlackCat has filed an SEC complaint on digital-lending company MeridianLink for failing to pay ransom to the hackers.

You read that right. This might just be the biggest story of the year.

BlackCat (also known as Alphv) alleges to have hacked MeridianLink, breached its data, and then demanded ransomware payment. The alleged complaint to the SEC states that MeridianLink failed to report this breach to the SEC within four days of the breach.

As tongue-in-cheek as all this is, the hacker group’s attempt indicates that, regardless of how good they might be at violating people’s rights and exfiltrating data, they know little of the law. Specifically:

• The SEC regulations only become enforceable on December 15. Even if BlackCat had a feline leg to stand on, they should have waited until after that date to carry out their thievery.
• The SEC regulations give companies four business days after the discovery of a material breach to disclose it, not four days after the breach itself. BlackCat claims they breached MeridianLink on November 7, but MeridianLink link says the breach occurred on November 10.
• MeridianLink’s internal investigation indicated that the breach was not severe enough to merit disclosure.

Regardless of the dark humor in this situation, it poses several valid legal questions that companies must consider—specifically, do hackers have a legal right to file a valid complaint, even if it’s an attempt to further coerce a company into paying the ransom?

Key lesson: Companies must have rigorous event-logging in place, and reliable records that are verified by third parties. That way, if no breach is detected, they will be able to prove it. Similarly, companies must report data breaches. By following the regulations, criminals won’t be able to use this avenue to coerce payment.

The SEC gets busy with fines and investigations

Although the SEC’s new regulations regarding timely disclosures will only come into play on December 15, the government agency is still able to levy charges against companies for violations of existing SEC regulations. Broadly, that has been an umbrella covering anything that endangers investors.

In March 2023, the SEC announced that software company Blackbaud Inc. would pay $3 million to settle a case where the company allegedly made misleading disclosures regarding a 2020 data breach.

Just recently, in September 2023, the SEC charged the broker-dealer Virtu for failure to adequately protect a database containing investor information. The contents of this database were allegedly available to anyone at Virtu and its affiliates. This case very definitely falls within the scope of investor protection and intersects with cybersecurity.

Key Lesson: Customer data must be secured, regardless of whether you’re in the financial industry, medical industry, or an unregulated sector. The finance and medical sectors already have rigorous regulations in place, but the new SEC regulations concerning cybersecurity disclosures will straddle all sectors.

CMMC 2.0 is getting underway

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense (DoD) to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The DIB refers to the “worldwide industrial complex that enables research and development of military weapons systems, subsystems, and components or parts.”

CMMC 1.0 was launched in November 2020 to ensure that organizations in this sector adhered to essential security levels.  CMMC 2.0 is designed to further protect this sector’s “sensitive unclassified information from frequent and increasingly complex cyberattacks.”

No public data exists yet concerning what CMMC 2.0 contains, but the Pentagon has requested comments from members of the industry as the next step. Some companies have moved ahead with CMMC 2.0 implementation, and the DoD intends to make CMMC 2.0 adherence a part of upcoming contracts.

Key Lesson: Waiting too long might delay your ability to bid for contracts if you don’t match up to the required security standards immediately. There’s also a good chance that other government departments will adopt the requirement of CMMC certification so any organization that may want to work with the government should be considering certification.

How organizations can prepare for 2024

Complacency is no longer an option regarding cybersecurity, especially for publicly listed companies. But even smaller companies need to sit up and pay attention to cybersecurity needs. The risk to a company’s financial and reputational viability, not to mention the risk to individual lives, as a result of breached data is quite real.

The primary trend is clear: Cybersecurity is an absolute necessity, and regulations are moving into place to ensure that companies, both small and large, implement it. Yet, no matter how essential, attaining and maintaining cyber preparedness is a heavy burden for most companies.

Cybersecurity needs have grown so vast that putting together a cybersecurity team that can tackle all aspects of your security posture is no easy feat—and it can quickly grow costly. The worldwide shortage of cybersecurity professionals doesn’t help matters.

Fortunately, a managed security program provider, such as what SolCyber provides, has emerged as a streamlined solution designed to help organizations build cyber resiliency in minimal time without needing to expand their department.

A managed security program provider can provide all the necessary cybersecurity tools and services necessary for you to maintain a robust security posture at a fraction of the cost. SolCyber provides multiple solutions that fit businesses of all needs and sizes. These solutions include comprehensive coverage, monitoring-only services, and access to discounted cyber insurance.

To learn more about how SolCyber can help you cover your cybersecurity bases, contact us for a no-obligation call today.