Cybersecurity regulation: What should we expect? 

2. Technological advances 

• Emerging technologies like AI, blockchain, and cloud computing introduce new security challenges. 

3. Consumer protection 

• Safeguarding personal and financial information remains a top priority. 

4. Global regulatory harmonisation 

• Coordinated responses to transnational cyber threats mean that the world's regulators are adopting similar approaches. 

Key regulatory developments 

More than words 

Cybersecurity-related laws are becoming more stringent, as they start to reflect an industry held understanding of key risks. This includes extending insights and visibility into the supply chains for key industries, the EU’s Digital Operational Resilience ACT (DORA) being a prime example. The extent to which the EU has outlined the detailed requirements for DORA compliance is more prescriptive than other regulations in this space and it highlights the need for businesses to do more to address cybersecurity risk.  

The NIS2 Directive is another example of regulators placing additional obligations on organisations in new sectors. Appropriate (and enforced) levels of cybersecurity are now accepted as being in the best interests of citizens. 

Both NIS2 and DORA are likely to create a wave of similar regulations in wider markets, as other regulators seek to establish comparable levels of cybersecurity. 

Third-party risk management  

Regulators emphasise thorough due diligence and continuous monitoring of vendors' cybersecurity practices. The Office of the Comptroller of the Currency (OCC) in the US has guidelines for robust third-party risk management (TPRM), including contractual agreements and vendor oversight. 

Incident reporting and response 

Regulators now mandate stricter incident reporting requirements. The EU's NIS2 Directive requires significant cyber incidents to be reported within 24 hours. The US Securities and Exchange Commission (SEC) is also considering similar rules for publicly traded companies. Such reporting provides insights into potential cybersecurity failings within organisations and will continue to place a focus on cybersecurity and individuals within the organisation. 

Beware of AI-washing 

You’ve heard of whitewashing, greenwashing, and pinkwashing. Now you can add AI-washing to the laundry list of ‘marketing claims to be wary of.’  

AI and supportive technology is not new – who else remembers Clippy, Microsoft’s helpful [irritating] Office Assistant? Clippy popped up on our screens for the last time in 2007 (presumably its last words were, “it looks like you’re trying to ship this software update without me”). 

Since then, AI technology has advanced in leaps and bounds and now everyone is promising ‘AI-powered’ tools without specifying to what degree AI is integrated into their offerings. In 2023, the US Federal Trade Commission warned marketers to ‘keep your AI claims in check’. 

AI and AI-washing will continue to be a key consideration for organisations that rely on the operation and functioning of AI-driven cybersecurity tools.  

The SEC has considered the question in relation to the claims of AI use in relation to investment products. This could be an area that develops quickly, especially given the significant number of technology providers leveraging AI, particularly in cybersecurity. 

Increased focus on operational resilience 

Operational resilience is a key focus, particularly with DORA. Financial institutions must ensure continuity of critical operations during cyber incidents. The UK’s regulatory bodies have issued requirements for identifying important business services and developing resilience strategies. This shows no signs of slowing down, so expect a greater regulatory focus on the resilience of supply chains and cloud providers.  

Incident transparency and forensic reports 

Several cases in North America have tested and sought to confirm when and how legal privilege can be applied to forensic reports.  

Canada 

• LifeLabs LP v Information and Privacy Commissioner held that the forensic report related to a 2019 data breach was not privileged. 

• CNOOC Petroleum North America ULC v ITP SA found that a report provided to the regulator was discoverable.   

United States 

• In part of a series of ongoing examinations into the use of legal privilege (including Dominion Dental Servs. USA, Inc. Data Breach Litig. (2019) and Premera Blue Cross Customer Data Sec. Breach Litig (2017)), the court decided not to apply legal privilege to a forensic report that was part of the CapitalOne breach. The forensic report, its purpose, and the nature of the relationship between the forensic report creator and CapitalOne were all considerations. 

This narrowing of legal privilege will place additional focus and emphasis on the management of cybersecurity incidents, including the nature of the reports created in addition to the quality of the decisions made by executives.  

Being able to demonstrate that leadership took appropriate steps regarding the incident, but also by association, the historic investment in and ongoing management of cybersecurity will also likely be scrutinised. 

Implications for organisations 

Compliance costs and resource allocation 

Meeting regulatory requirements will require ongoing investment in cybersecurity infrastructure and expertise. This includes technology upgrades, staff training, and enhanced TPRM. A feature of compliance that is frequently overlooked is the need for ongoing operational excellence regarding cyber controls. Organisations must not be distracted by the allure of advanced and complex solutions at the expense of “doing the hard yards”.  

Enhanced cybersecurity posture 

Despite high compliance costs, stronger cybersecurity will benefit all organisations by protecting against cyber threats and building customer trust. Establishing greater visibility across supply chains will drive a greater level of professionalism across cybersecurity within those industry sectors that typically have lower maturity.  

Need for proactive cybersecurity strategies 

Institutions must adopt proactive strategies, including advanced threat detection, regular security assessments, and fostering a cybersecurity-aware culture.  

Mechanisms for ensuring the assessments take place considering shifting regulatory change should also be established.  

Collaboration and information sharing 

Regulatory bodies encourage collaboration and information sharing to combat cyber threats. Participation in industry forums and sharing threat intelligence are essential and should be embraced by organisations. 

Here we go – ready or not   

The next few years will see significant developments in cybersecurity regulation. Institutions must stay informed, invest in robust cybersecurity measures, and adopt proactive strategies to navigate the evolving regulatory landscape. By doing so, they can enhance their cybersecurity posture, protect sensitive information, and build trust with their communities. 

For tailored advice and solutions to help your organisation meet these regulatory requirements, contact me or one of team.