With recent cybersecurity regulations now mandating organizations to implement and maintain cybersecurity programs, it is essential to build out one that protects your organization’s digital assets and data from various threats, including cyberattacks, data breaches, and unauthorized access. A robust program should encompass a range of policies, procedures, technologies, and training to mitigate risks effectively. However, it’s important to note that this is not a one-time effort; cybersecurity programs require continuous monitoring, adaptation, and improvement to effectively protect your organization in an evolving threat landscape.
Below, I’ve outlined a high-level overview of two existing regulations that mandate organizations to establish, maintain, and regularly update their cybersecurity programs.
1. Numerous states have enacted regulations mandating the establishment of a comprehensive Written Information Security Program (WISP). These regulations can be better understood through an examination of 201 CMR 17.00, which outlines the standards for safeguarding personally identifiable information (PII) of Massachusetts residents. In essence, this regulation necessitates that any organization handling and storing PII for a Massachusetts resident must create, execute, and sustain a comprehensive WISP. It explicitly states that the WISP should encompass a broad spectrum of elements, ranging from internal cybersecurity policies to the actual implementation of controls to support these policies. Furthermore, the regulation emphasizes the continuous training and awareness of all employees regarding cybersecurity.
2. The Securities and Exchange Commission (SEC) has recently unveiled updated regulations mandating quicker disclosure of cybersecurity incidents by public companies. Under these new rules, organizations must report cybersecurity incidents considered “material” under new item 1.05 of form 8-K within a four-day window. Additionally, the SEC has introduced new item 106 under regulation S-K, which will be integrated into a company’s annual 10-K filing. This regulation necessitates that public companies outline their procedures for identifying, assessing, and managing material risks from cybersecurity threats. It also mandates the disclosure of any prior cybersecurity incidents that have had a material impact on the company.
Although the United States legal framework hasn’t undergone significant changes for several years, I anticipate that the recent updates to the European Union’s General Data Protection Regulation (GDPR) will exert considerable pressure on the US to develop, embrace, and enforce a more robust legal framework for cybersecurity in the years to come.
What we should all glean from this, beyond the specifics of the regulations, their content, and speculation of more regulations coming, is the constant commitment demanded by these requirements. Cybersecurity programs and associated measures are not “set it and forget it” endeavors; they require persistent attention and diligence. Whether we are business owners, executives, or employees, it is imperative that we remain focused and intentionally incorporate cybersecurity practices into our daily operations to ensure the safeguarding and security of sensitive and confidential data.
To learn more about protecting your organization, join us at our Cybersecurity Summit on October 5th, onsite at our headquarters in Canton, MA. Click here to explore our exciting lineup of sessions and speakers, and to reserve your spot at the event.