From a regulatory perspective, many industries have been living in the land of milk and honey as cyber programs have largely been guided by voluntary measures. However, regulator’s patience has grown thin with the public private partnership / voluntary measures approach and, as a result, cybersecurity regulation is on the way.
We know that change is coming on a national level as the pending Biden cyber strategy is strongly considering regulation as a means to better accomplish more consistency in national approach. But what about individual regulators? Well, some of them are certainly not sitting on their hands- most notable the Security and Exchange Commission (and the New York Department of Financial Services).
Reporting and responsibility are the two biggest changes coming down the pike. Under SEC rules expected to be finalized within months, publicly traded companies that determine a cyber incident has become “material” (and could have a significant impact on the business) must disclose details to the SEC and investors within 4 business days. That requirement also stands when “a series of previously undisclosed, individually immaterial cybersecurity incidents has become material in the aggregate.”
The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cybersecurity and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk.
James Dever Esq., Principal of Lockhaven Solutions, says that increasing the onus on boards will help ensure cyber programs are dealt with like other business risk, “Cybersecurity is a strategy, not a technical solution” says Dever, “the change in approach driven by this regulation will finally help align risk with strategy, something that has been severely lacking in industries that attempt to deal with cyber risk simply by employing ever-more expensive technical solutions.” Dever added, “in addition, this will help improve accountability to shareholders, an issue sorely lacking in the cyber context.”
Beyond the increase to reporting and responsibility, what is the practical “so what” of these regulators getting more involved in the cyber space? These regulators can also impose enforcement actions and levy massive fines, which, in the financial crimes world, have amounted to hundreds of millions of dollars.
Safe to say things are changing and businesses need to face into these new requirements as soon as possible as more regulators will likely be following the lead of the SEC and NYDFS in 2023.
Dr. Jack Dever J.D., LL.M., S.J.D. is the CEO of Lockhaven Solutions.
Jack served as FBI Assistant General Counsel. In this role he advised on cyber operations against nation state actors and global Tier 1 operations against Al Qaeda and affiliate organizations. He was an Assistant US Attorney for the Northern District of Illinois (Chicago). In this capacity he worked on a wide array of cases, including foreign cyber espionage and data exfiltration. Jack served on active duty in the US Army as a Judge Advocate. He deployed multiple times to Iraq, Afghanistan, Bosnia and the Horn of Africa. He was awarded the Bronze Star and Purple Heart Medals.
After leaving government service, Jack was an Executive at General Electric where he served as Global Crisis Management Leader. In this role, he developed the Business Intelligence Unit which investigated cyber fraud and financial crime. Jack went on to several enterprise risk leadership roles at several of the world’s largest banks, including GE Capital, Wells Fargo, and UBS.
Jack holds a doctorate in Cyber Law. He has lectured extensively at universities, law schools and private institutions. He is Co-Director at the Center for National Security and Human Rights Law in Chicago and has published multiple peer-reviewed articles on Cyber Law, Banking Law, and National Security Law.
He remains active in support of Disabled Veterans and underserved communities.
James Álvaro Dever, Esq.is a Principal at Lockhaven Solutions.
James was a US Air Force Professor of Cyber Warfare. He taught Cyber Law, Intelligence Law, National Security Law, Privacy Law, and Space Law at the Air War College (AWC), Air Force Cyber College (AFCC), Air Force Judge Advocate General’s School (JAG School), Air Command and Staff College (ACSC), and Air Force Research Lab Information Directorate (AFRL), the nation’s premier research organization for Computers and Intelligence. In partnership with AFCC and National Security Agency (NSA) Cryptologic School colleagues, he designed new graduate degree programs in Cyber Strategy for senior military officers and Department of Defense (DoD) civilians. He has provided cyber education to senior government officials and private sector leaders from South America, Central America, Europe, Africa, Australia, and Asia.
He served as a US Army Judge Advocate. He was the Cyber Warfare Judge Advocate at Army Cyber Command (ARCYBER) where he provided real-time legal advice on worldwide cyber offensive, cyber defensive, and DoD information network missions. He was Chair of the Law Department at the US Army Intelligence School. He taught Cyber Law, Intelligence Law, and National Security Law to DoD military personnel and civilians. He taught Advanced Source Operations at the HUMINT Training Joint Center of Excellence (HTJCOE), served as a Cyber Law Judge Advocate at the US Army Network Enterprise Technology Command (NETCOM), and was a Cyber Law liaison to the US Army Intelligence and Security Command (INSCOM).
Prior to the Army, he worked at Deloitte Cyber Risk Services. At Deloitte, he partnered with the National Institute of Standards and Technology (NIST) and helped create the Trusted Identities in Cyberspace and Privacy Engineering programs. He facilitated cybersecurity risk management for Fortune 100 companies.
He has published peer-reviewed law articles and book chapters on Cyber Law, Privacy Law, and National Security Law. He has lectured about enterprise cyber risk management at diverse venues including the Congressional Cybersecurity Caucus, the American Bar Association, NYU School of Law, the US Air Force Academy, and NATO Allied Command. He has taught extensively at universities and law schools. He is Advisory Director at the Center for National Security and Human Rights Law in Chicago and Co-Director, Cyber Risk Management for Executives Program. He is on the Board of Directors at the Journal of Law & Cyber Warfare.