Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering May 31, 2024 How the Latest Cybersecurity Regulations Impact Your Organization In recent years, the cybersecurity regulatory landscape has expanded at a fast pace, mainly due to the increasing frequency and impact of cybersecurity incidents on organizations and their customers. Today, many regulators require organizations to implement strong security defenses and honestly disclose any security incidents they may experience in doing business. These mandates are meant to strengthen enterprise security postures and protect organizations’ customers from the damaging impact of cyberattacks. That said, the accelerating pace and increasing complexity of regulations can overwhelm even the most experienced cybersecurity and compliance teams. This article explains the most important aspects of 5 important cybersecurity regulations, aiming to reduce any overwhelm and simplify your company’s compliance journey. Securities and Exchange Commission (SEC) Cybersecurity Disclosure Rules In July 2023, the U.S. SEC adopted new rules that require domestic registrants and FPIs to disclose any cyber incidents that they experience within 4 business days of determining that the incident is “material”. In addition, they must make these disclosures in a certain format, i.e., in Form 8-K for domestic registrants and in Form 6-K for foreign private issuers (FPIs). Every disclosure must include information about the incident’s nature, scope, timing, and material impact. The rules also require organizations to make annual disclosures to the SEC about their cybersecurity policies and procedures. Similar to post-incident disclosures, annual disclosures must also be provided in a specific SEC-accepted format. Effective date: December 18, 2023, for domestic registrants and FPIs June 15, 2024, for smaller reporting companies (SRCs) Applicability: U.S. public companies (“domestic registrants”) Foreign private issuers (FPIs) Non-compliance penalties: Non-compliance with these rules may result in a permanent injunction to cease doing a specific type of activity. The SEC could also impose monetary fines of $5,000 to $100,000 per violation on the offending organization. CISA Cyber Incident Reporting Associated with Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) The CIRCIA Act aims to help U.S. critical infrastructure organizations prevent, deter, defend against, respond to, and mitigate significant cyber incidents. It requires these organizations to disclose covered cybersecurity incidents to the CISA within 72 hours and any ransom paid to a threat actor within 24 hours. Furthermore, they must include all this information in their disclosure report: Incident technical data, scope, and root cause Types of information compromised Evidence of exploits utilized Security and policies implemented prior to the incident List of notified agencies A ransom payment report should also include payment details, including cryptocurrency wallets, recipients, and amounts. Effective date: The deadline for CISA to issue the Final Rule on reporting is September 15, 2025, which is also when implementation will begin. This timeline could potentially be accelerated by Congress in the event of another major infrastructure attack. Applicability: Public and commercial institutions (“covered entities”) in the USA in the power, finance, food and agriculture, water, healthcare, defense industrial base, transportation, and other critical infrastructure sectors Third-party suppliers to companies in the above industries CIRCIA non-compliance penalties: CIRCIA non-compliance can result in a fine of up to $50,000 per day. It can also attract legal consequences since the CISA is empowered to refer non-compliance to the U.S. Attorney General. Network and Information Security 2 (NIS2) Directive on Cybersecurity The NIS2 Directive specifies the minimum cybersecurity measures that EU critical infrastructure organizations must implement. Its aim is to get these organizations to strengthen the security of their network and information systems and thus protect the vital areas of EU society. The NIS2’s cybersecurity requirements cover three key areas: Risk management: Organizations must implement measures to minimize cyber risks, including encryption, access control, network security, and supply chain security Corporate accountability: Company management must oversee all cybersecurity measures and address cyber risks Business continuity: Organizations must implement a plan to ensure business continuity following a major cyber incident In addition, the Directive also requires critical infrastructure operators to report any incidents to the relevant authorities. Effective date: EU member states must transpose NIS2 into national law by October 17, 2024 Applicability: EU companies operating in 15 critical sectors and designated as either “essential entities” (EE) or “important entities” (IE) NIS2 non-compliance penalties: For EEs: the higher of up to €10 million or 2% of global annual revenue For IEs: the higher of up to €7 million or 1.4% of the global annual revenue National supervisory authorities can also enforce several non-monetary remedies, including security audit implementation orders and threat notification orders to the non-compliant entity’s customers. Digital Operational Resilience Act (DORA) DORA is a unified set of rules aimed at harmonizing the EU’s various cybersecurity regulations to strengthen the IT security of EU financial entities and ensure the resilience of the EU’s financial sector. Per DORA, all regulated entities must conduct continuous vulnerability assessments of their ICT systems. They must also: Identify, classify, and document all ICT-supported business functions/roles/responsibilities, and the ICT assets supporting those functions Identify all sources of ICT risk Map all critical information assets and ICT assets Implement an ICT risk management framework that includes an information security policy, strong authentication mechanisms, and procedures and controls for ICT change management Effective date: January 17, 2025 Applicability: 20 types of financial entities in the EU, including banks, insurance companies, and investment firms Third-party information and communication technology (ICT) service providers in the EU DORA non-compliance penalties: Non-compliant financial institutions may be fined up to 2% of their total annual worldwide turnover or up to 1% of the average daily worldwide turnover, while ICT service providers could face fines of up to €5.000.000 for DORA non-compliance. EU Cyber Resilience Act (CRA) The CRA’s cybersecurity rules seek to ensure that the hardware and software products placed on the EU market have fewer vulnerabilities and can therefore protect users from a wide range of cyber threats. The law complements other EU laws like the NIS2 Directive to help strengthen the cybersecurity posture across the EU. It does so by requiring products with digital elements (PDE) manufacturers and developers to: Ensure the cybersecurity of every PDE throughout its lifecycle Inform customers about their PDE’s cybersecurity aspects so they can make more informed decisions about buying and using that PDE Define a support period for the product’s usage period Provide regular security updates throughout that period By mandating these requirements, CRA aims to provide consumers with safe and secure products that safeguard their data and privacy. Effective date: November 2025 for vulnerability handling and incident reporting February 2027 for enforcement Applicability: Manufacturers, developers, and suppliers of PDEs both in the EU and outside CRA non-compliance penalties: CRA non-compliance can attract fines of up to €15 million or 2.5% of total global turnover, whichever is higher. Additionally, providing falsified or inaccurate information to regulating bodies can attract fines of up to €5 million or 1% of global turnover, whichever is higher. Product Security and Telecoms Infrastructure (PSTI) Act The Product Security and Telecommunications Infrastructure (PSTI) Act was enacted in the United Kingdom on December 6, 2024, to address both consumer-connectable product security and infrastructure resilience. Consumer-connectable products (AKA “smart” products) include products that can connect to the internet or a network and transmit and receive digital data like smart TVs, baby monitors, home automation and alarm systems, smart doorbells, and more. Aiming to safeguard both individual users and critical services, the PSTI Act requires smart product manufacturers to implement the minimum security requirements outlined in the PSTI Act such as encryption, access control, etc. Some key requirements specified in the PSTI Act are as follows: Manufacturers can no longer utilize default passwords that can be guessed easily. Manufacturers must allow outside individuals or organizations to report product vulnerabilities and must have a vulnerability disclosure policy in place. Manufacturers must be transparent with consumers about when they will discontinue supporting the products with security updates. More specifically, this must be communicated in a way easily understood by consumers without technical knowledge. Effective date: April 29, 2024 Applicability: Manufacturers, importers, and distributors of consumer-connectable products PSTI Act non-compliance penalties: Non-compliance with the PSTI Act could cost manufacturers a maximum fine of up to £10 million or 4% of their qualifying worldwide revenue from their most recent complete accounting period – whichever is greater. About BreachLock BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming. Know your risk. Contact BreachLock today! Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.