Navigating the Cybersecurity Regulatory Landscape: A 2024 Legal Update

As the digital landscape evolves, so too does the regulatory framework governing cybersecurity. In 2024, companies across various sectors are faced with an increasingly complex web of cybersecurity rules and regulations. This article provides an overview of key developments from the past year, focusing on new requirements from major regulatory bodies such as the SEC, FTC, FCC, FHA, NYDFS, FAA, FINRA, and CISA. While this update is not exhaustive, it serves as a valuable guide for organizations striving to comply with heightened cybersecurity standards and incident reporting obligations.

The Growing Focus on Cybersecurity

The past year has seen a marked increase in regulatory scrutiny surrounding cybersecurity. This trend reflects a broader recognition of the critical importance of safeguarding sensitive information and maintaining operational integrity in the face of evolving cyber threats. Regulators are particularly focused on ensuring that organizations report cyber incidents promptly and transparently, as well as adhere to robust security protocols.

Expanded Incident Reporting and Disclosure Requirements

One of the most significant trends in cybersecurity regulation is the expansion of incident reporting and disclosure requirements. Organizations are now required to provide more detailed information about cyber incidents within shorter timeframes. Below are some of the key developments in this area:

1. SEC’s Cyber Disclosure Rule: The Securities and Exchange Commission (SEC) has implemented a new rule mandating public companies to disclose material cybersecurity incidents within four business days of making a materiality assessment. This rule emphasizes the need for timely communication and allows for delayed disclosure only under specific circumstances, such as national security concerns, with prior approval from the U.S. Attorney General.

2. FTC’s Amendments to the Safeguards Rule: Effective May 13, 2024, the Federal Trade Commission (FTC) revised its Safeguards Rule, which requires financial services companies to notify the FTC of any security breach involving the information of at least 500 consumers within 30 days of discovery. This amendment underscores the FTC’s commitment to consumer protection and data security.

3. HUD’s Cyber Incident Reporting Requirements: The U.S. Department of Housing and Urban Development (HUD) has introduced new reporting requirements for FHA-approved mortgagees. Under Mortgagee Letter 2024-10, mortgagees must report suspected cyber incidents to HUD within 12 hours of detection, reflecting the urgency of addressing cybersecurity threats in the housing sector.

4. FCC’s Data Breach Reporting Requirements: The Federal Communications Commission (FCC) adopted new rules in December 2023 requiring telecommunications providers to notify the FCC and affected customers of data breaches affecting 500 or more customers within seven business days. This rule aims to enhance consumer protection in the telecommunications industry.

5. CIRCIA’s Reporting Requirements: The Cybersecurity and Infrastructure Security Agency (CISA) has proposed new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Covered entities will be required to report cyber incidents within 72 hours and ransom payments within 24 hours. These requirements are expected to take effect in 2026.

Heightened Security Standards

In addition to incident reporting requirements, 2024 has seen the introduction of more stringent cybersecurity standards across various industries. These regulations focus on essential security measures, including multi-factor authentication (MFA), encryption, risk assessments, and third-party risk management. Key developments include:

1. New York State Department of Health Cyber Regulations: On October 2, 2024, the NYSDOH adopted cybersecurity regulations for hospitals, mandating the implementation of security controls such as MFA, risk-based authentication, and annual risk assessments. Hospitals must also notify the NYSDOH of any cybersecurity incidents.

2. FAA Proposed Cyber Changes: The Federal Aviation Administration (FAA) has proposed new design standards to address cybersecurity threats in transport category airplanes. These standards include conducting security-risk analyses to identify and mitigate cybersecurity vulnerabilities.

3. NYDFS Cyber Amendment: The New York Department of Financial Services (NYDFS) published an amendment to its cybersecurity regulation on November 1, 2023. This amendment introduces increased governance requirements, expanded notice and compliance certification requirements, and mandates incident response planning and encryption of nonpublic information.

4. NAIC Model Law: The National Association of Insurance Commissioners (NAIC) has seen several states adopt its Model Law, which includes provisions for cybersecurity governance, oversight of third-party service providers, and incident response plans. As of October 3, 2024, 26 states have adopted this model law.

5. CSBS Model Law: The Conference of State Bank Supervisors (CSBS) has updated its Nonbank Model Data Security Law, which imposes requirements for safeguarding customer information and mandates notification in the event of a cybersecurity incident.

6. SEC Regulation S-P: The SEC has amended Regulation S-P to require market participants to safeguard customer records and notify affected individuals in the event of cybersecurity incidents impacting sensitive information.

7. FINRA Guidance: Although the Financial Industry Regulatory Authority (FINRA) has not yet published specific cybersecurity rules, it has provided guidance on mitigating third-party vendor cybersecurity risks, emphasizing the importance of risk assessments and incident response planning.

Global Developments in Cybersecurity Regulation

While this update primarily focuses on U.S. regulations, it is essential to note that cybersecurity legislation is also evolving globally. For instance, the European Commission adopted the Network and Information Security 2 Directive (NIS2) on October 17, 2024, which establishes cybersecurity rules for organizations providing essential services. Similarly, Hong Kong has proposed new cyber legislation for critical infrastructure operations, reflecting a global trend toward enhanced cybersecurity regulation.

Conclusion

As organizations navigate the increasingly complex cybersecurity regulatory landscape, it is crucial to stay informed about new requirements and best practices. The developments of 2024 underscore the importance of proactive cybersecurity measures, timely incident reporting, and compliance with heightened security standards. By understanding and adapting to these changes, companies can better protect themselves against cyber threats and fulfill their regulatory obligations in an ever-evolving digital environment.