On Dec. 15, the Securities and Exchange Commission’s (SEC’s) expanded cybersecurity rules came into effect, requiring public companies to disclose incidents within four business days.
Largely unnoticed by the press, institutional investors, or anyone else, the federal government is quietly directing a seismic shift in the economy by mandating stringent cybersecurity compliance across all 16 critical infrastructure sectors.
These sectors include well-known and highly relegated markets such as the defense industrial base, financial services, and energy–regulated by the Department of Defense (DoD), SEC, and Department of Energy (DoE), respectively. However, often overlooked are the subsectors beneath those 16 sectors, which comprise nearly every company and component of our economy, making nearly every business in scope for the emerging cybersecurity compliance regulations flowing down across the federal government at an increasingly rapid pace. The commercial facilities sector, for instance, consists of eight subsectors, including real estate, retail, sports leagues, and entertainment venues. There is no place to hide from cybersecurity regulation and mandatory minimum cybersecurity requirements.
While some argue government overreach, it’s clear why these regulations are coming fast and furious. China, Russia, and other Asian and Eastern European countries pose a tremendous cyber threat that shows no signs of slowing down.
This heightened cybersecurity revolution began last year with the White House’s executive order and unfolds as a movement that transcends borders. A dozen nations have aligned with the U.S. cybersecurity efforts, reflecting a collective endeavor toward a fortified global digital economy.
The government is pulling every regulatory lever available to quietly define and enforce mandatory cybersecurity minimums on the entire economy in the same way it mandates seatbelts, airbags, and other safety features in automobiles.
We’re heading toward a burgeoning market for cybersecurity compliance, with the ripple effects resonating through legal corridors as fraudulent cybersecurity claims come under the judicial scanner. Proper security controls will no longer be a choice, but a legal and economic imperative, marking a new epoch of digital resilience and a reinforced economic structure.
What Does This Mean for Small Business Owners?
There are several areas where small business owners and leaders will be impacted. Here’s a few examples:
- More Compliance Requirements are Coming – As stated above, more and more government compliance requirements are coming, for nearly all industries. Don’t assume that these compliance regulations don’t apply to you. Clients and vendors in your supply chain may also implement their own 3rd party requirements for meeting cybersecurity minimums.
- Lawsuits Regarding Cybersecurity Coverups – Last October, Pennsylvania State University was sued by a former chief information officer (CIO) for allegedly failing to safeguard CUI and falsifying security compliance reports. The case is ongoing, but there’s already precedent. Last July, Aerojet Rocketdyne agreed to pay $9 million to resolve a similar case. More than $2.2 billion was paid out in settlements and judgments in False Claims Act cases last year–and over $1.7 billion was related to the healthcare industry.
- Cyber Insurance Costs Increasing – Not only are cyber insurance premiums going up, but so are deductibles and the required cybersecurity controls needed to get cyber insurance are increasing as well.
- Cyber Insurance Doesn’t Always Pay Out – Small business leaders need to ensure that they understand their cyber insurance policy requirements for minimum cybersecurity controls. If they don’t maintain those minimum controls and are hit with a cyber attack, their cyber insurance claim may be denied.
If you’re confused by this news, reach out for a complimentary Cybersecurity Discovery Call.