CyberCasta

Cybersecurity Approaches and Regulations

, ,
#, , , , , , , ,

We are all aware that cybersecurity is a pressing concern for businesses, regulators, and policymakers alike. However, what constitutes “reasonable” cybersecurity remains subject to interpretation. Understanding how regulators and lawmakers approach defining “reasonableness” is crucial for organizations to manage compliance and risk effectively.

There are several methods used to define what constitutes as “reasonable” cybersecurity.

  • Legislative Specifications: Clearly defined cybersecurity requirements established directly by statute, providing organizations with precise rules to follow.
  • Binding Regulations: Detailed, enforceable rules issued by regulators, compelling organizations to adhere strictly to specified cybersecurity standards.
  • Case-by-case Enforcement: Regulators evaluate cybersecurity practices individually, often through litigation or investigations, establishing precedent through enforcement actions.
  • Non-binding Guidance: Recommendations provided by regulators intended to guide best practices but not legally enforceable. These offer flexibility and adaptability.
  • Reference to Industry Standards: Regulations that cite established cybersecurity frameworks or standards developed by recognized organizations (such as NIST or ISO) as benchmarks for compliance.
  • Adoption of Industry-written Rules: Regulators formally adopt cybersecurity standards and rules developed by industry groups, leveraging specialized expertise and ensuring practical applicability.

Increasingly, regulators encourage organizations to tailor cybersecurity controls to their specific threat landscape and risk profile. This approach avoids a one-size-fits-all mandate and instead promotes context-sensitive decision-making. Also, State-level legislation, such as the California Consumer Privacy Act (CCPA) or the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, continues to shape what constitutes “reasonable” by imposing granular requirements in areas like breach notification and third-party risk management.

It’s all about risk reduction, not perfection.

A fundamental principle underlying cybersecurity regulations is the acknowledgment that perfect cybersecurity is unattainable. Regulators emphasize reasonable measures that significantly reduce risk rather than eliminate it entirely. This practical approach helps organizations prioritize resources effectively. In addition, regulators understand that threats evolve, budgets are finite, and technology stacks vary across sectors. “Reasonable” cybersecurity, therefore, often hinges on a company’s ability to:

  • Identify critical assets and risks.
  • Implement appropriate technical and organizational safeguards.
  • Monitor and respond to incidents.
  • Demonstrate continuous improvement.

Courts and regulators may also consider an organization’s size, industry, resources, and history of prior breaches when assessing reasonableness. Documentation of cybersecurity decisions, such as why a specific control was or wasn’t implemented, can serve as critical evidence of good faith efforts.

Sector-Specific Regulations

Here are some key Federal Cybersecurity Statutes that Congress has adopted and aimed at regulating cybersecurity within specific sectors:

  • Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information by requiring healthcare providers and related entities to implement robust cybersecurity measures.
  • Children’s Online Privacy Protection Act (COPPA): Regulates online data collection practices affecting children under 13, mandating stringent cybersecurity measures to safeguard children’s privacy.
  • Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to ensure the security and confidentiality of customer information through specific cybersecurity guidelines.
  • The Energy Policy Act of 2005: Addresses cybersecurity for critical infrastructure within the energy sector, setting compliance standards to protect vital energy assets.
  • The Commodity Exchange Act: Ensures cybersecurity measures in financial markets, protecting trading platforms and market integrity.
  • Federal Information Security Modernization Act (FISMA): Requires federal agencies and contractors to follow rigorous cybersecurity standards, reinforcing the principle that reasonable cybersecurity varies by organizational mission and system sensitivity.
  • Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA): Requires timely reporting of certain cyber incidents by critical infrastructure entities, underscoring the importance of rapid response and transparency as part of a reasonable cybersecurity posture.

These federal statutes empower respective regulators to adopt detailed regulations, significantly shaping cybersecurity practices within their sectors. Notably, these statutes do not create private rights of action, meaning enforcement is exclusively governmental.

Understanding the various ways regulators define and enforce “reasonable” cybersecurity helps organizations manage compliance and risk management effectively. By focusing on practical risk reduction rather than unattainable perfection, entities can better protect themselves and comply with cybersecurity expectations.

Hope you found this post helpful and informative. Thanks for stopping by!

Leave a comment

Categories

Tags

AI Artificial Intelligence business CFAA cloud technology compliance Computer Fraud and Abuse Act Constitution CSF Cyber Security cybersecurity Cybersecurity Articles Cybersecurity Framework Data Privacy Data Protection digital-marketing ethics GRC health healthcare Health Privacy HIPAA Incident Response information-security Information Technology IT IT Topics MFA Multi-Factor Authentication network network segmentation NIST NIST AI RMF NIST CSF 2.0 NIST Guidelines online privacy Online Security privacy Privacy Torts security Tech technology Technology Topics Torts vlans

Recent Posts