Emerging Cyber and Data Security Regulations Warn: Assessments Matter!
The failure to comply with these assessment requirements could increase the spotlight on a company should it suffer a data breach. It is imperative that companies understand emerging laws and regulations to which they may be held accountable and proactively modify their practices to manage risk.
Data cybersecurity laws and regulations in the United States are fast-moving and ever-changing. There is a growing focus on cybersecurity governance, and companies increasingly need to assess their security and information practices to ensure compliance with emerging assessment requirements. These requirements will compel organizations to take a hard look at their cybersecurity and information governance practices. The failure to comply with these assessment requirements could increase the spotlight on a company should it suffer a data breach. It is imperative that companies understand emerging laws and regulations to which they may be held accountable and proactively modify their practices to manage risk.
Risk Assessments as a Best Practice
National and international standards, such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), have historically recommended conducting risk assessments as a best practice for validating the implementation of appropriate security safeguards. A risk assessment helps a company manage its risk by identifying and prioritizing risk to operations, assets, information, and systems. NIST states that the purpose of a risk assessment is to identify threats; vulnerabilities; impact; and likelihood of harm. See Nist Special Publication 800-30 ch. 1, (Sept. 2012).
Understanding a company’s cybersecurity risk is becoming an increasingly valuable metric to investors. In the aftermath of a data breach, investors and regulators are requiring companies and their executives to disclose what was known about the cybersecurity health of the company at the time of the data breach. Such was the case with SolarWinds and its chief information security officer, who were charged with fraud for misleading investors about known cybersecurity risks. See press release, U.S. Securities and Exchange Commission, “ SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures,” (Oct. 20, 2023).
New Rules and Increased Enforcement Action by the SEC
In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted cybersecurity rules requiring public companies to disclose their management, governance, and strategy practices on an annual basis and to disclose material cybersecurity incidents. See press release, U.S. Securities and Exchange Commission, “ SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” (July 26, 2023).
As part of a company’s S-K filing, New Item 106(b) requires a company to describe its “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” This requirement includes disclosing the company processes for identifying and managing cybersecurity risks, including the use of assessors, consultants, or auditors to assist with such processes. Further, New Item 106(c) requires companies to describe management’s role in assessing and managing material cybersecurity risks.
While conducting an assessment is not a hard requirement, the SEC has increased enforcement actions against companies and their executives who fail to maintain adequate cybersecurity protections in the event of a data breach. See press release, U.S. Securities and Exchange Commission, “ SEC Announces Enforcement Results for Fiscal Year 2023,” (Nov. 14, 2023). Having a cybersecurity assessment in place allows a company to demonstrate reasonable protective measures to guard its information’s security and to comply with recommended practices.
Paul Munter, chief accountant at the SEC, raised several concerns and considerations regarding the importance of risk assessments. See statement, U.S. Securities and Exchange Commission, “ The Importance of a Comprehensive Risk Assessment by Auditors and Management,” (Aug. 25, 2023). He recommends taking a broader approach to assessing risks, including entity-level issues that could ultimately impact financial reporting. One caution is against looking at each individual data breach as an isolated example. Munter states that management has an obligation to “take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks.”
New State Regulations Requiring Risk Assessments
Over the past year, several states have added or amended regulations concerning risk assessments. In November 2023, the New York Department of Financial Services (NYDFS) significantly amended cybersecurity requirements for financial services companies. See NYDFS, Second Amendment to 23 NYCRR 500. The amendment implemented several key changes, including:
- Requiring a covered entity to perform penetration testing and vulnerability scans of information systems; requiring business continuity and disaster recovery (BCDR) planning; requiring multi-factor authentication for any individual accessing internal networks from an external network; and requiring asset management, including a complete asset inventory.
- Adopting additional cybersecurity and reporting requirements for larger financial companies that meet NYDFS’ definition of “Class A Companies” defined under Section 500.1(e) of the amended cybersecurity requirements to conduct “independent audits” of their cybersecurity programs; to implement certain access control for monitoring privileged access; and to implement endpoint detection, logging and alerts.
- Increasing accountability of the chief information security officer (CISO) to the senior governing body (board-level oversight) for the organization’s cybersecurity program. The CISO and highest-ranking executive are required to sign an annual certification declaring material compliance with amended cybersecurity requirements. If noncompliant, a written acknowledgment must be signed along with a description of the nature of noncompliance.
In fall 2023, the California Privacy Protection Agency (CPPA) released draft regulations that, once finalized, will require companies whose processing of consumer’s personal information “presents significant risk to consumers’ security” as defined by the regulation to perform independent annual cybersecurity audits. The latest draft regulation from the CPPA’s Dec. 8, 2023, board meeting is exacting, with a heavy focus on ensuring documentation for a wide range of components are in place to protect personal information, some of which include:
- Authentication, such as the use of multi-factor authentication and strong, unique passwords or passphrases;
- Account Management and access controls, including restricting privileged access; monitoring new account creation; monitoring physical access;
- Inventory and management of personal information and the business’s systems;
- Secure configuration of hardware and software, such as updates and upgrades, cloud-security, masking of sensitive personal information, patch management, and change management;
- Vulnerability scans, penetration testing reporting;
- Audit log management;
- Network monitoring and defenses;
- Cybersecurity training and awareness;
- Records and information management schedules of personal information;
- Business response to security incidents; and
- Business-continuity and disaster-recovery plans.
See proposed rulemaking draft: Cybersecurity Audit Regulations, CA Privacy Protection Agency Board Meeting (Dec. 8, 2023).
What might be challenging for many companies is not just the level of detail and scope of the audit, but also the current requirement to provide a written certification. And like NYDFS’s certification compliance, the current CPPA draft regulation requires a company to specify which sections the company has not complied with and the nature and extent of noncompliance. This requirement for increased transparency is clearly visible in the newly enacted and proposed regulations. The potential reach of these new regulations could shine a bright light on organizations’ current practices for protecting personal information. There may be different views on how extensive documentation requirements will be for required cybersecurity and risk assessments, but there is the potential for these to be cumbersome.
Retention Impacts of Cybersecurity and Privacy
As seen with the NYDFS cybersecurity requirements and proposed CPPA cybersecurity audit regulations, documentation of policies and procedures related to security and protection of personal information and security practices is becoming more of a focus for regulators.
Organizations should ensure their policies are up to date and well documented and that they are tracking retention of individual data points for personal information (e.g., driver’s license numbers, credit card numbers, etc.) as well as broader records (e.g., invoices). It is important that corporate departments, including legal, information security, privacy, and information governance/records and information management (RIM), partner together to ensure that retention requirements are met for all categories and types of data. For organizations that do not yet have retention policies, it should serve as a wake-up call that now is the time to develop and implement these policies.
Organizations should plan and prepare for cybersecurity audits and risk assessments by ensuring they create and retain records regarding their practices and testing for the appropriate amount of time. These can include:
- Cybersecurity threat intelligence data regarding current trends and attacks;
- Software and hardware configurations, patch management, and upgrade schedules;
- Cybersecurity training and compliance records;
- Systems inventory;
- Privacy compliance, including data protection impact assessment (DPIA) and data subject access request (DSAR);
- Audit log management, including collection, review, and retention of security logs;
- Penetration testing programs for both internal and external testing;
- Data breach notification and response procedures;
- Documentation surrounding data breach responses;
- Developing or updating inventory tracking for systems to ensure controls and compliance;
- Retention and deletion policies for both traditional records and individual data points, with a focus on data minimization for personal data;
- Policy compliance documentation, including remediation efforts.
The requirements imposed by the newly enacted and proposed regulations are likely the beginning of directives to come stemming from the increased focus on security and information practices. The increasingly strong regulations, thus far, appear to be coupled with equally strong enforcement, at least by the SEC. The SolarWinds enforcement certainly signaled that companies need to examine their cybersecurity and information governance practices thoroughly and, in turn, sufficiently and honestly disclose the company’s risks. The evolving landscape of data cybersecurity law and enforcement is uncharted territory, but companies should start now to set themselves up for success in the wake of these new regulations.
Companies are advised to be vigilant in preparing for these assessments by ensuring the proper systems and controls are in place and that the appropriate documentation is being created, retained and shared to support these assessments.
Judy Branham is counsel with the law firm of Redgrave LLP in its Minneapolis, MN office. Branham focuses her practice on e-discovery, information governance, data privacy and cybersecurity, and digital forensic matters and has led investigations of and responses to complex data breaches, including ransomware, business email compromise, denial-of-service, and state-sponsored attacks. She can be reached at jbranham@redgravellp.com.
Laurie Carpenter is a director with the firm in its Los Angeles office. Carpenter has over 25 years of experience advising on information governance and records and information management in various industries and is a frequent facilitator on topics including cybersecurity and privacy information governance matters, gamification, program marketing, partnerships and alliances, electronic records management, and records management basics. She can be reached at lcarpenter@redgravellp.com.