As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.
Some of these regulations are a response to what’s generally been a hands-off approach to telling organizations what to do. Unfortunately, cybersecurity isn’t always prioritized when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organizations hostage and made private information available on the dark web.
Developed Nations Strive to Control an Ever-Changing Landscape
The new regulations are coming from all directions: at the state and federal levels in the U.S. and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organizations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats, aren’t known for their technological savvy.
In the U.S., for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cybersecurity legislation, and the count increases as other countries join.
No More Secrets; Lawmakers Want to Understand What’s Happening and When
One of the motivating factors for all these new regulations is that most cyberattacks aren’t reported. Lawmakers realize cybersecurity threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cybersecurity official estimated the government only learns about 20% to 25% of intrusions at U.S. business and academic institutions.
In March, Congress passed legislation requiring critical infrastructure operators to report significant cyberattacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?
What Does This Mean for Organizations? What’s the Best Way to Prepare?
As an MSSP, your customers count on you to keep them current. As an MSSP, it’s your opportunity to act as your client’s trusted advisor and help them make sense of the complex regulatory landscape. Your commitment to helping them stay compliant delivers value. Stuart Madnick at the Harvard Business Review proposes three key steps organizations can take today to prepare.
- Make sure your procedures are up to the task.
This is important for any company subject to SEC regulations. Under their watch, companies are responsible for reporting anything “material”–information that can influence the stock price. Make sure your publicly traded clients know what is considered material when it comes to cybersecurity. For non-public companies, you’ll still want to recommend a way to catalog and track incidents that could affect the business were it to be sold or acquired.
- Keep ransomware policies up to date.
The days of paying ransoms and keeping it a secret are likely to end soon. Paying a ransom may soon become a crime. North Carolina is the first state to prohibit public companies from paying ransoms. Instead of evaluating risk on a spreadsheet and deciding how much paying a ransom might cost versus spending more on infrastructure or insurance, you can help customers understand those are quickly becoming choices they can’t make. Instead, they need to know they’ve done their best to prevent an incident and protect customer data.
- Prepare for a required “Software Bill of Materials” to better vet your digital supply chain.
MSSPs have a chance to add value here. In fact, it could be something you offer as a service. Today’s nesting approach to software development and integration increases the threat surface. The SolarWinds incident is an excellent example because the attack exposed the inner workings of Orion users. Attackers could also access their customers’ and partners’ data and networks.
MSSPs are well-positioned to help customers navigate these changes as lawmakers enact more regulations. From awareness of regulation advances to managing some of the complexity of something like a Software Bill of Materials, you’ll continue to be a valuable partner and advisor.