Welcome to the third episode in our new four-part podcast series, Full disclosure, where we explore key cyber regulatory challenges across different regions – UK, Europe, US, and Asia.
In the latest edition of Full disclosure by S-RM, host Matthew Mettenheimer delves into US cyber regulations with Michael Clark, Head of the US's Cyber Advisory Practice, and Aisling Freeman, a senior associate within the same practice.
Listen to the S-RM Insider podcast
Cyber regulations in the US: A shift in dependency
The cybersecurity and data privacy regulatory landscape in the US is experiencing a significant shift. Companies are now required to increase their transparency and accountability in cybersecurity risk management. In fact, these requirements have trickled down to third-party vendors and suppliers who support regulated industries.
Variety of compliance requirements
And compliance requirements are not one-size-fits all. The recent SEC implementation of new cyber disclosure rules (that came into effect in December 2023), for example, apply strictly to public companies. On the other hand, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program is solely geared towards organizations working directly with the Department of Defense or contractors associated with them. Furthermore, various state and local regulations are driving increased data privacy requirements.
Michael sums up the common driver behind the new regulations, “all of this new regulation is really designed to start forcing organizations to put the right practices and processes in place. You've got companies that are supporting industries that tend to be a little bit more heavily regulated - financial services, healthcare, pharma etc that have tons of consumer data, information on the US population… or those companies who have the potential to impact our critical infrastructure, the regulations ask what are you doing to take the right steps to ensure that you've got the right safeguards in place?"
But, this variation in sector-specific and regional regulations has complicated cybersecurity and risk management practices for organizations. As Michael warns, “I think you’re going to see more and more regulatory or enhanced regulatory scrutiny around cyber risk management."
The impact of non-compliance
Non-compliance with these cyber regulations can have severe consequences, ranging from financial penalties to loss of business. Aisling highlights the CMMC 2.0 as an example, stating, "Non-compliance [with CMMC] will result in loss of existing federal contracts and potential disqualification from future defense contracts."
And Michael points out, it is equally vital for individual C-suite personnel in corporate sectors to keep a keen eye on evolving regulations. "While the industries are different, organizationational leadership needs to come together to define what 'right’ looks like to them." In summary, it's not just about complying with the regulations but also consciously upholding the essence of these regulations to maintain a safe and secure business environment.
Coping with complexity
The complexity of the US regulatory landscape mirrors the evolving patterns of digital communication and the ongoing advancements in technology. New regulations are pushing organizations to rethink their strategies and redefine their approach to cyber risk management. Proactive measures such as frequent audits, risk assessments, and transparency in operations form the crux of coping with these regulatory challenges.
Proactive measures such as frequent audits, risk assessments, and transparency in operations form the crux of coping with these regulatory challenges.”
However, both Michael and Aisling emphasize the importance of collaborating with trusted advisors and legal counsel to navigate through these complexities. Further, they highlighted the need for organizations to stay informed and keep abreast with the changes in the regulatory environment.
Preparedness goes a long way in cybersecurity. As the saying goes, it’s not a matter of ‘if’ a cyber incident will occur, but ‘when’. Having a robust and proactive cyber risk management strategy significantly assists companies in swiftly responding to incidents and complying with the necessary regulations.
Looking forward
As the intertwining landscape of business operations, global politics, and cyber regulations continues to evolve, companies need to stay abreast of these changes. This involves understanding how their industry or sector-specific compliances apply to their business operations and the implications of non-compliance.
Above all, the focus should not only be on compliance but on upholding secure business practices that align with the regulations’ underlying purpose. Cybersecurity is indeed a team sport, with effort and dedication required from all corners of an organization to ensure a safe and secure business environment in the face of evolving cyber threats. Amid all the complexities, the most effective approach is a combined one, integrating robust cybersecurity practices with a tenacious commitment to continual learning and adaptability.
Stay tuned for the next episodes in our Full disclosure series by subscribing to Latest thinking here. If you would like to discuss any of the topics raised in this podcast with the S-RM team, please do not hesitate to contact us.