In 2024, businesses will continue to face an evolving landscape of cyber threats, along with an increasingly complex regulatory environment. With heightened scrutiny from regulators, consumers, and investors, the need to bolster security measures and improve incident response capabilities has become even more important. Here’s our top 10 list of what to watch for from cybersecurity regulators in 2024:
1. Increased focus on individual liability. Regulators have been increasingly focused on individual liability. In 2022, we reported that the Federal Trade Commission (FTC) had named the CEO of Drizly individually in its complaint alleging data security failures at the company. This past October, the U.S. Securities and Exchange Commission (SEC) filed a complaint against the chief information security officer (CISO) of SolarWinds Corporation based on allegations that they 1) fraudulently made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity posture; 2) fraudulently misled the public after the discovery of cyberattacks; and 3) failed to maintain adequate internal accounting controls to protect SolarWinds’ critical assets from cyberattacks. SolarWinds and its CISO dispute the allegations and are defending against the SEC’s complaint.
2. New SEC requirements for public companies. All companies filing 10-K disclosure forms with the SEC will have to comply with new requirements to disclose information about their risk management and governance strategies, retention of outside advisors such as assessors, consultants, or auditors in connection with these processes, and oversight of third-party service providers. In addition, companies other than smaller reporting companies will have to file 8-K forms within four days after learning that a security incident is material (with smaller reporting companies being subject to this requirement starting on June 15, 2024). There is an exception to the four-day disclosure requirement if the U.S. Attorney General (AG) determines that revealing the information poses a risk to national security or public safety. Companies requesting a delay must provide comprehensive information about the incident and contact the FBI via a dedicated email or another government agency promptly, preferably before they finalize their materiality analysis of the incident, but no later than contemporaneously with a materiality determination. If a company requests a delay from the U.S. Department of Justice (DOJ) and doesn't get a response within the four-business-day timeframe, it still has to file the Form 8-K.
3. New requirements for federal contractors. In 2024, the Federal Acquisition Regulation Council (FAR Council) will likely finalize two rules applicable to federal contractors. The FAR Council proposed these rules in October, to implement requirements under the 2021 Executive Order on Cybersecurity, and the comment period ended in December. The first rule, when finalized, will apply to any federal contractor using information and communication technology systems in the performance of a federal contract, set new cybersecurity incident reporting requirements, and impose a software bill of materials (SBOM) requirement. Under the proposal, these contractors would be required to report to the Cybersecurity & Infrastructure Security Agency (CISA) security incidents within eight hours of discovery that a security incident may have occurred and update their submission every 72 hours until they have completed eradication or remediation activities. The second rule, aimed at contractors providing or maintaining a Federal Information System (FIS), aims to standardize cybersecurity requirements for unclassified FISs. Together, the proposed rules, if finalized, would require new contract clauses and representations.
4. New breach reporting requirements for non-bank financial institutions. Starting in May 2024, non-bank financial institutions will be required to report certain data breaches and other security events to the FTC under the Gramm Leach Bliley Act Safeguards Rule. Institutions such as mortgage brokers, motor vehicle dealers, and payday lenders will have to notify the FTC no later than 30 days after discovering a "notification event," defined as unauthorized acquisition of unencrypted customer information impacting at least 500 people. This could include any instance where unencrypted information is accessed by a third party without the consumer’s consent.
5. New requirements for financial institutions under NYDFS Cybersecurity Rule amendments. Under amended Cybersecurity Rules from the New York Department of Financial Services (NYDFS), state-licensed financial institutions will have to notify the NYDFS within 72 hours of a cybersecurity incident, with continuous updates on material changes or new information about the incident. In the event of extortion payment, covered entities need to provide details about the payment within 24 hours of it being made, including the reasons for the payment, alternatives considered, and due diligence performed to ensure compliance with rules and regulations. Additional amendments create new requirements for larger “Class A entities,” including a requirement to obtain an independent audit. All covered entities will also need to 1) have a senior governing body (i.e., board or equivalent) with sufficient understanding to exercise effective cybersecurity oversight, and 2) require the CISO to timely report material cybersecurity issues to the senior governing body or senior officer.
6. Forthcoming proposal on cyber incident reporting for companies in critical infrastructure sectors. In March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under CIRCIA, CISA must develop and publish a Notice of Proposed Rulemaking (NPRM) requiring covered entities to report covered cyber incidents within 72 hours from the time the entity reasonably believes the incident to have occurred, along with other reporting requirements. Covered entities include those that function in an industry that is among the 16 critical infrastructure sectors like energy, defense, government facilities, chemical, communications, and emergency services. According to the timeline set by CIRCIA, CISA is required to publish the NPRM within 24 months of the enactment date, which suggests the NPRM would be issued in the first quarter of 2024. Companies in covered sectors should be on the lookout for the proposal and may want to provide comments in response to the NPRM.
7. Updated Cybersecurity Maturity Model Certification requirements for defense contractors. The Department of Defense (DoD) has released its proposed rule to implement the Cyber Maturity Model Certification (CMMC) program, which is a key part of DoD’s efforts to prevent foreign adversaries from stealing sensitive data from U.S. defense contractors. The proposed rule will require many contractors handling Controlled Unclassified Information to verify that they have implemented required cybersecurity controls (consistent with NIST 800-171) by obtaining certifications from Certified Third-Party Assessment Organizations, in addition to certifications and affirmations by contractor executives. The proposed rule also introduces a formal accreditation process for said Certified Third-Party Assessment Organizations. The public comment period for this proposed rule ends on February 26, 2024.
8. Potential new requirements for certain LLMs and cloud providers under the AI executive order. In October 2023, President Joe Biden issued an executive order (EO) on Safe, Secure, and Trustworthy Artificial Intelligence (AI), which treats the development of large language AI models as a potential threat to national security and calls on a number of federal agencies to issue rules in 2024 addressing various aspects of these threats. For example, entities that develop certain foundational models will become subject to new reporting requirements to the Department of Commerce (DoC), such as a requirement to share the results of “red-team safety tests.” Certain cloud providers will be obligated to report any rental by a foreign person of U.S. cloud server space to train large AI models with potential capabilities that could be used in malicious cyber-enabled activity. The U.S. Department of Homeland Security (DHS) and various other agencies are tasked with issuing guidance to mitigate AI systems’ threats to U.S. critical infrastructure (e.g., power grids, water supplies, transportation, and communication networks), and other risks including chemical, biological, radiological, nuclear, and cybersecurity risks.
9. New requirements for companies using AI systems under the upcoming EU AI Act. The European Union (EU) recently reached a political agreement on the EU Artificial Intelligence Act (EU AI Act), which calls for AI systems to have a cybersecurity posture commensurate with the heightened risk level associated with such systems. While the details of the political agreement are yet to be disclosed, official press releases indicate that high-risk AI systems (e.g., AI used in biometric identification systems, medical devices, recruitment, determining access to education, influencing elections) must implement technical solutions to address AI-specific vulnerabilities. This may include measures to prevent and control for attacks trying to manipulate the training dataset (“data poisoning”), inputs designed to cause the model to make a mistake (“adversarial examples”), or model flaws. Providers of powerful general-purpose AI models must conduct model evaluations and adversarial testing, and report to the European Commission on serious incidents. The adoption of the AI Act is expected in early 2024.
10. New requirements for companies active in critical sectors in the EU. The EU Network Information Systems Directive (NIS 2) came into force on January 16, 2023, and applies from October 18, 2024. NIS 2 introduces new cybersecurity obligations for companies that carry out their business in critical sectors in the EU, including cloud services and data center providers, banks, entities carrying out research and development activities of medicinal products, manufacturers of electrical equipment and medical devices, airlines, and social networking platforms. NIS 2 imposes strict cybersecurity risk management requirements and reporting obligations (including filing an early warning within 24 hours after becoming aware of a significant incident, and an incident notification within 72 hours).
