In a report released Wednesday, the Government Accountability Office, which provides watchdog services for the U.S Congress, found that executive branch departments — and the Treasury, in particular — have started work on harmonizing federal cybersecurity regulations but still have a long way to go.
The report from the accountability office condenses and revisits some of its recent findings about efforts from the Office of the National Cyber Director, Department of Homeland Security, and U.S. Treasury to bring conflicting regulations into alignment.
One example of the current disharmony in cybersecurity regulations relates to data breach disclosure notification rules, which vary by state and are not preempted by one overriding federal law. For example, each state has a different timeline that governs how quickly a company that suffers a data breach must notify the state’s attorney general about it — usually between 45 and 90 days of determining the scope of the breach.
In its Wednesday report, the accountability office revisited analysis it released in September 2020 that touched on this disharmony. In that analysis, four unnamed firms out of the 10 that agreed to speak with the accountability office mentioned difficulties following the various state breach notification requirements as opposed to one national requirement.
That 2020 analysis concluded with two recommendations: That the Treasury track the content and progress of sector-wide cyber risk mitigation efforts, and that it update the sector-specific plan to include metrics for measuring progress on these efforts.
In comments provided for the 2020 report, the Treasury generally agreed with the two recommendations but said it had limited authority to implement them.
For example, the Treasury said that requests to firms to provide metrics about their progress toward sector-wide cybersecurity goals would create concern among the firms that the information provided could be released in response to Freedom of Information Act (FOIA) requests. While the information that firms share about specific data breaches are specifically disqualified from disclosure via FOIA requests, metrics about firms’ progress toward meeting cybersecurity standards are not so clearly disqualified.
In its report released Wednesday, the accountability office said the two recommendations to Treasury “remain open.”
The report touches on other harmonization efforts. For example, Congress and the President passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The act established a Cyber Incident Reporting Council “to coordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulation,” according to the report.
For the most part, the report concluded, these efforts remain incomplete. The incident reporting act in particular still has months to go before getting finalized. Just this week, the public comment period closed on proposed rules that specify what banks and other critical infrastructure operators must report to their regulators (in the case of the financial sector, to the Treasury).
Those rules provide new insights into how the Cybersecurity and Infrastructure Security Agency — which is in charge of enforcing most of the cyber incident reporting act — will assess the substantiality of a cybersecurity incident. However, the rules lack some of the objective standards some existing rules have. For example, the proposed rules do not set a threshold for how many people must be affected by a data breach before a company must report that breach to the agency.
To clarify the standards that determine whether a cybersecurity incident must be reported, in September 2023, the Department of Homeland Security released a report with eight recommendations that the federal government could adopt. One recommendation was for the federal government to come up with “model definitions” of reportable cyber incidents, reporting timelines, and reporting triggers, which the report recommended Congress then adopt to eliminate barriers to harmonization.
Some people outside government have been critical of government efforts they call contrary to the harmonization efforts. For example, the Bank Policy Institute has criticized the Securities and Exchange Commission for a recently adopted rule that requires publicly traded companies to disclose significant cybersecurity incidents to shareholders within four days of determining such an event is significant.
The current state of affairs in federal cybersecurity regulations is “a complex web of competing priorities where rules aren’t just duplicative but create confusion and contradict one another,” according to Heather Hogsett, senior vice president of technology and risk strategy for BITS, which is BPI’s technology policy division. Hogsett made the remarks at a Wednesday hearing of the U.S. Senate Committee on Homeland Security and Governmental Affairs.
“The most glaring example” of this complexity, Hogsett said, is the SEC’s cyber incident disclosure rule, which she said “undermines congressionally mandated efforts to improve cyber incident response.”
The accountability office’s Wednesday report concludes that as work continues on efforts to harmonize cybersecurity reporting regulations, “it is vital that the stakeholders involved in this process remain focused on resolving the conflicts, inconsistencies, and redundancies” in the current rules. Following through on the specific plans created to further these efforts “are essential to achieving harmonization,” the report states.
This post was originally published on 3rd party site mentioned in the title of this site
