New Cybersecurity Regulations To Impact Los Angeles Businesses
Every year brings new and high-profile cybersecurity attacks against companies, organizations, and government agencies, large and small. Generally speaking, we’re not talking Hackers, Mr. Robot, or any of the more romantic notions of hackers Hollywood has provided over the years. Today’s cyberattacks are often perpetrated by small groups or large organized cybercriminal networks for illicit gain. Sometimes, they are carried out by individuals or groups with links to foreign governments to gain geopolitical or economic advantage. And while the notion of the populist hacker giving a large corporation its just desserts may have some appeal, the truth is that cybercrime can have a catastrophic impact on its victims, who range from companies and nonprofits to average everyday citizens.
Why Increasing Attention Is Being Paid to Cybersecurity
Ten years ago, the average citizen’s exposure to cybercrime most likely stemmed from his employer getting hit by a cyberattack. Or an online business of which they were customers had a data breach, and their financial information was disclosed. However, in recent years, everyday citizens have felt the effects of cyberattacks on what’s known as critical infrastructure. Critical infrastructure includes specific private and public sector organizations that provide services essential to society. They span 16 sectors, including:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Base
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Waste and Wastewater Systems
Until recently, there had been relatively minimal federal statutes with explicit cybersecurity mandates for critical infrastructure sectors outside of a few. And even as cyberattacks grew in quantity and sophistication, and more nation-state actors weaponized online technologies for espionage, cold warfare, and military conflicts, progress on robust and comprehensive cybersecurity measures was slim.
However, recent attacks on critical infrastructure providers, including JBS Foods and Colonial Pipeline, have helped propel Congress to action. Moreover, supply chain issues stemming from both the pandemic and the war in Ukraine have also cast a harsh spotlight on critical infrastructure vulnerabilities in the U.S. and abroad. And as legislators oversee draft, debate, and implement stronger cybersecurity measures on their own shores, IT companies and employees are preparing to comply with two recently passed cybersecurity laws and bracing themselves for the passage of more.
What the U.S.’s New Laws Mean for Businesses and Organizations
This year, President Biden has signed into law:
- The Cyber Incident Reporting for Critical Infrastructure Act
- The Better Cybercrimes Metric Act
- The State and Local Government Cybersecurity Act
- The Federal Rotational Cyber Workforce Program Act
The latter three are designed to increase interagency cybersecurity coordination among government stakeholders, improve reporting metrics, and build a bench of cybersecurity professionals in federal service, given longstanding documented gaps across agencies. Unless you’re a government agency, not much is immediately actionable for businesses in these bills. However, over time, cybersecurity professionals should pay close attention to new reporting measures, metrics, and threat data that evolve from implementing these bills to help safeguard their own organizations.
The Cyber Incident Reporting for Critical Infrastructure Act does require adjustments to existing emergency plans for critical infrastructure firms. This law requires that critical infrastructure firms report all ransomware attacks within 24 hours and all other cyberattacks within 72. This is a huge development, as firms have underreported attacks for years. Not only has underreporting so stymied law enforcement from investigating individual cases but it’s also hurt the cybersecurity community’s collective ability to identify and respond to threats and develop effective security measures and systems.
From a practical perspective, this legislation means that critical infrastructure businesses and organizations must adjust their internal emergency response plans and processes and train their staff to include swift reporting in the event of a cyberattack. According to the developed parameters, they must be prepared to provide the Cybersecurity and Infrastructure Agency (CISA) data relevant to the attack.
As per the Act, the reporting requirements must be published no later than March 2024, with final rules established no later than September 2025. And while these rules are not yet established, critical infrastructure firms and organizations can begin evaluating whether they have the appropriate technological capacity, internal processes, and personnel to ensure they can report breaches swiftly and completely.
What’s Next In Cybersecurity Regulation and How to Prepare
Many businesses and organizations have historically concluded that disclosing a breach’s potential reputational and legal risks outweigh the possible benefits of reporting it. And with a patchwork of agencies responsible for investigation and law enforcement, it’s both been hard for IT professionals to know who to report to or trust that reporting will result in a positive outcome. However, the societal costs of a breach to railway transportation management systems can be catastrophic to business, government, and everyday Americans, which is why Congress and the President have taken action recently.
While these bills will help the U.S. begin to address cybercrime, they only scratch the surface. Legislators in both parties have discussed many additional proposals that further enhance information sharing among the private and public sectors and increase resources for cybersecurity education. Moreover, most states have begun to pass additional legislation to help mitigate the risks and effects of cybercrime and cyberterrorism.
California, which has long charted its own course in areas like environmental and data privacy regulation, will likely continue to refine the landmark California Consumer Privacy Act, which, along with increasing federal cybersecurity legislation, will have implications for businesses and organizations across industries. While rules, regulations, and statutes are still being developed, all businesses and organizations can prepare for them by ensuring they have a comprehensive cybersecurity plan, robust physical and digital security, and backup and disaster recovery measures continually updated and assessed for vulnerabilities.
Despite cyberattacks’ clear and present danger, many businesses and organizations still lack comprehensive cybersecurity plans. That’s where Generation IX comes in. We work with you to devise, deploy, and manage the best cybersecurity measures available for your organization.
Having safeguarded Los Angeles-area firms for more than two decades, we have the experience, resources, and talent to keep your firm safe. Our team stays on top of emerging threats, new regulations, and innovative security approaches so you can focus on driving revenue. And we’re ready to work with your team to keep your data and digital assets safe and secure. Contact us today, and let’s help you fortify your organization against the threats on the horizon.
Everyday, I work to ensure organizations are leveraging technology to optimize their business, improve employee performance and satisfaction, and protect themselves from cybersecurity threats. I love my role in business development because it allows me to connect with all facets of a business. My primary focus is working with new prospective clients and introducing them to the Generation IX way of IT services and support. Additionally, I evaluate new technology and potential vendor partnerships. We are constantly looking for the best solutions for our clients.
