Companies grapple with expanding cyber rules
Summary
State, federal and industry requirements aim to protect the U.S. from hackers but complicate compliance.As cyberattacks plague companies across all industries and cause headaches for consumers, regulators are demanding that victims report hacks in short time periods—and the rules are rarely consistent, creating a compliance nightmare.
In addition to widely publicized rules such as those brought into force by the U.S. Securities and Exchange Commission in December 2023, many companies must also comply with other federal demands, rules from state regulators and industry-specific requirements.
Federal policy around cybersecurity regulations, outlined in the U.S. National Cybersecurity Strategy published in March 2023 by the Biden administration, is unlikely to change much should Vice President Kamala Harris win the White House in November’s election.
Former President Trump’s policy positions on cybersecurity are less clear. The Cybersecurity and Infrastructure Security Agency was founded during his administration in 2018, but the agency has become a lightning rod for criticism from some Republican lawmakers.
Meanwhile, a June U.S. Supreme Court decision that could limit the latitude federal agencies have to set rules could throw cyber enforcement into disarray.
Navigating the complexities
Cybersecurity chiefs object to the overlapping and conflicting mandates, pushing back on the lack of “harmonization" among the rules. Especially problematic are ever-narrowing deadlines for reporting cyber incidents.
“There’s a race by regulators to the bottom of who can require a faster notification," said Erez Liebermann, a partner at law firm Debevoise & Plimpton, and a former federal prosecutor specializing in cybercrime cases.
The problem, illustrated: A publicly traded financial services company based in New York suffers a cyberattack. The company must report the incident within 72 hours to the state’s Department of Financial Services. If the company paid a ransom, it must report that single fact even sooner—within 24 hours. Four business days after it determines the attack will have a material financial or operational impact, it has to file an 8-K form with the SEC. If the company is a mortgage lender, it has 12 hours to report the incident to the Federal Housing Administration. If it is a member of the Federal Deposit Insurance Corporation, it has 36 hours. And each regulator demands a different level of detail.
Depending on other industries the company touches, and other states it operates in, additional rules apply.
In March, HealthEquity, a fintech company that manages health-savings accounts for employers, detected unauthorized access to one of its databases that compromised the personal and financial information of around 4.3 million people. The company reported the incident to state regulators and the SEC in July, and the U.S. Department of Health and Human Services in August.
More federal requirements are coming, namely the Cyber Incident Reporting for Critical Infrastructure Act, which must be finalized by October 2025. In 2022, Congress authorized the Cybersecurity and Infrastructure Security Agency to write rules forcing banks, power companies, manufacturers, healthcare providers and others in critical infrastructure to report cyberattacks. In April, CISA put out an initial proposal and got swamped with 300 industry comments, many complaining the rules are confusing, overly broad and often duplicate existing ones.
Health insurer Blue Cross Blue Shield Association, for instance, said in its response that healthcare companies may need to report incidents under the Health Insurance Portability and Accountability Act, the Federal Trade Commission’s rules on data privacy, the SEC’s rules and CIRCIA, once that rule is final.
“Four separate standards with similar but slightly different compliance expectations would impose an unreasonable burden with marginal benefit towards improving cybersecurity as compared to having a single, harmonized standard," said Kris Haltmeyer, the association’s vice president of policy analysis.
Alphabet’s Google, in its response, described divergent rules as “one of the greatest challenges for incident-response teams globally," adding that the proliferation of reporting requirements sucks up crucial resources in the middle of a crisis.
Rules often change quickly, and sometimes with little-to-no warning. The FHA’s 12-hour requirement, for instance, was introduced through a regulatory letter in May to companies and went into effect immediately. The SEC’s rules, by contrast, went through multiple revisions and lengthy comment periods for over a year.
Keeping current, let alone complying, with requirements can be challenging, said Adam Wisnieski, practice leader for cyber strategy and risk-management services at cybersecurity advisory company Optiv particularly for companies that operate in multiple states, other countries and across critical infrastructure sectors.
“It is a pretty heavy burden," he said.
How we got here
As cybersecurity has become an existential matter for businesses and critical infrastructure, more regulators and lawmakers have gotten involved to understand threats and improve protections.
Plus, the powerful SEC, which exists outside of the regular chain of command in the government, has weighed in. The agency, led by its chairman, is authorized to write and enforce its own rules.
Now, there’s a tangle of rules growing out of the sometimes arcane structure of federal agencies along with states’ rights to regulate certain activities and industry-specific regulations.
Independent agencies have the freedom and flexibility to closely oversee specific industries, but they aren’t compelled to harmonize their rules with others. State agencies also have power over certain industries, such as insurance, and aren’t under any obligation to align their requirements with others.
“Everyone admits it’s a problem, but everyone does it the way they do it, either for valid rational reasons or because of inertia," said Jim Richberg, global field chief information security officer at cybersecurity company Fortinet and a former senior cyber official in the Office of the Director of National Intelligence.
What next?
Efforts are under way to try to reconcile at least some provisions among the main sets of regulations. CIRCIA’s passage in 2022 established an interagency council chaired by the Department of Homeland Security to identify overlap. The council published a report in 2023, analyzing more than 50 federal cyber incident-reporting rules for ways in which the government could align its requirements.
So far, few if any rules have been amended.
“The cabinet-level agencies get together to say they’re going to drive change and then hopefully some of that will trickle down to the independents. But doing this kind of regulatory harmonization is a real challenge," Richberg said.
Another wrinkle: In June, the Supreme Court struck down a 1984 decision that had effectively forced lower courts to defer to federal agencies charged with implementing laws. The case, Chevron v. Natural Resources Defense Council, has been cited thousands of times in legal arguments where agencies have prevailed in challenges to their authority.
The decision could significantly complicate cybersecurity regulations such as incident reporting, experts say, by taking power away from federal agencies. State agencies and courts would then fill the void, creating a Balkanized landscape similar to that of privacy laws, where a lack of a federal bill has led states to develop their own laws.
“I do think that the state and local elements are going to be the enforcement arm and that is going to significantly add more burden to teams to sort this out and keep track of things," Optiv’s Wisnieski said.
Organizations without hardy legal and compliance resources could miss reporting deadlines or fail to provide the detail needed for government authorities to assess security threats.
“As you add layers of regulations, layers of complexity, there’s things that could start falling through the cracks," he said.
Write to James Rundle at james.rundle@wsj.com