New Cybersecurity Regulations To Impact South Florida Businesses
We live in a world of unrelenting technological advancement and digitalization. Fuelled by a rising volume of sensitive information moving across interconnected and integrated systems, the cybersecurity threat landscape is growing exponentially in scope, scale, and complexity.
The rise of emerging technologies such as 5G connectivity and the Internet of Things (IoT) will only exacerbate the situation. More connected devices mean more potential targets, and faster 5G connections will allow online threat actors to move faster.
Private entities — who tend to bear the brunt of cybercrime — have traditionally been left to their own devices. But most businesses struggle to contend with the prevalent online threats. Realizing that cyberattacks’ impact can significantly damage infrastructure and disrupt economies, governments are stepping in.
New Laws and Regulations
The worsening private sector predicament has prompted governments to scale up efforts to address cybersecurity — in the form of new legislative regulations. In the US, a new set of proposed regulations is imminent at the state and federal levels. This suite of laws and regulations will significantly impact South Florida businesses.
As the government works to address today’s cybersecurity challenges, the shifting regulatory landscape will put private entities in the hot seat. Businesses must start reviewing the proposed legislation and evaluate its potential impact on your organization.
The State of Cyber Incidents Reporting
Considering that there seems to be at least one data breach in the news most weeks, you’d be forgiven for thinking that all cyberattacks are documented and reported. But the truth is that the vast majority of breaches go unreported, even in healthcare, where there is a regulatory framework for reporting cyberattacks.
In the past, most regulation around cybersecurity has focused on privacy rather than cybersecurity. As a result, companies are only required to report breaches involving personal data loss, such as social security numbers, credit card information, names, addresses, et cetera to relevant authorities.
For instance, when a ransomware attack took down the largest fuel pipeline in the US and led to shortages across the East Coast, Colonial Pipeline wasn’t required to report the incident since the attackers didn’t steal any personal data.
New Cybersecurity Reporting Requirements
Cyber incidents go unreported for many reasons, but in most cases, cyberattacks are swept under the rug to control hysteria. However, we need accurate reporting if we’re to gain any ground in the war against cybercrime.
Various government bodies and agencies, including Congress and the SEC, are considering regulations requiring companies to report all cybersecurity incidents. If these laws are enacted, companies will be required to report breaches that don’t involve personal data loss, such as the Colonial Pipeline ransomware attack.
The NIST defines a cyber incident as any action resulting in an actual or potentially adverse effect on an IT system, network, or the information stored within. This overly broad definition means that South Florida businesses may be required to produce daily reports, which can be a considerable burden.
What South Florida Businesses Can Do
The government — via regulatory agencies — is looking to increase cybersecurity oversight via legislation. The impact of new cybersecurity regulations is likely to cut across all sectors. Here are some steps South Florida businesses can take to prepare for the new wave of cybersecurity regulations.
Evaluate Your Ransomware Policies
When a ransomware attack hits, organizations have a few options depending upon the cost of each one. If you have your system’s backup, you can use it to restore affected systems. You may also rebuild your network environment from scratch if you don’t have a backup. Or you can pay the ransom.
However, the last one — paying the ransom — may no longer be an option for businesses even where that makes economic sense. Some of the proposed cybersecurity legislation will require organizations to report ransomware attacks and make it illegal to pay a ransom.
In light of the proposed legislation, South Florida businesses must review their ransomware attacks policies. The thinking behind these proposed regulations on ransomware payments is that by paying ransoms, you are enabling malicious actors to continue with their attacks.
Inspect Your Software Supply Chain
Software vendors often combine several software packages for sale as a single unit, commonly known as bundled software. Bundled software is a security risk due to poor programming practices. Bundled software expands the attack surface by creating vulnerabilities in your systems.
To combat the threat of bundled software, some of the proposed regulations will require businesses to keep an up-to-date SBOM to stay on top of the various pieces of code embedded in their systems. SBOM (Software Bill of Materials) refers to a list of all constituent components that make up the software or applications you use for work.
Review Policies and Procedures Regarding Materiality
The Securities and Exchange Commission (SEC) is one of the government agencies stepping up to address concerns of increasing cybersecurity threats. Under the proposed SEC rules, organizations must promptly disclose material cybersecurity risks and incidents. But assessing materiality is not always straightforward.
When is a cybersecurity incident material? In light of these regulations, South Florida businesses subject to SEC rules need to define ‘materiality’ and evaluate their policies, procedures, and key considerations for making material determinations. Put internal protocols in place to streamline these decisions.
LAN Infotech Helps South Florida Businesses Comply and Stay Secure
Data breaches are our new reality. Cybercriminals are constantly honing their skills and tactics to steal sensitive business and consumer data. A shifting landscape of ransomware attacks and system outages has catapulted cybersecurity into the legislative and regulatory spotlight.
LAN Infotech provides reliable network security to secure your networks and computer systems. With LAN Infotech in your corner, you don’t have to worry about the flood of regulations coming your way. Our cybersecurity team will craft and execute a cybersecurity strategy that keeps you in the know and compliant.
Schedule a consultation to learn more about how we can help you minimize the risk of exposure and stay compliant with new cybersecurity regulations.
LAN Infotech is a Microsoft Cloud Services Provider, IT Managed Support company and a leader in helping law firms, nonprofits and medical organizations deploy cloud solutions, manage computer networks, keep data protected and top technology management company. Businesses like yours need technology support to run highly-effective organizations.