How To Deal With the Vagueness in New Cyber Regulations

Regulatory bodies at every level of government have handed down stiffer privacy and disclosure requirements this year — and penalties to match — crafted with ambiguous language and squishy guidelines leaving cybersecurity teams hip-deep in liability and no clear path to compliance.

Recently released Security and Exchange Commission (SEC) guidelines on cyber incident disclosure are an example of the kind of confusion vague regulatory language can cause. Cybersecurity expert Adam Shostack points out to Dark Reading that he has observed the rules being widely misinterpreted.

"I think the requirement for transparency is generally good, and it's important to note it's within four days of determining it's a material breach, not within four days of discovering a breach," Shostack notes. "A lot of people are missing that important distinction."

Shostack, along with a panel of experts including Mike Hintze, Daniel P. Cooper, and Leslie R. Katz will offer advice on how to navigate a slew of new cyber regulations at Black Hat USA during their presentation, "Hot Topics in Cyber and Privacy Regulation."

Vague Language, More Enforcement

Some of the vague language of cyber regulation is necessary, Shostack points out.

"Also, let's be frank. The reason these standards are vague is often [because] industry demands for flexibility," he adds. "If we're having trouble because the standards are too open-ended, we should bring that to our industry groups and lobbyists."

Katz, an attorney and former tech executive, agrees it's up to the cybersecurity community to help educate and shape rulemaking discussions. Without technical guidance, regulatory bodies like the SEC are left with little influence beyond punishment, she adds.

Katz says that lack of cybersecurity expertise is fueling the SEC's consideration of legal action against SolarWinds executives for the company's 2020 breach.

"This seems to be another effort by the SEC to regulate by enforcement. Rather than providing clearer guidelines, they are sending a message via such an action," Katz tells Dark Reading. "A warning shot for all that even greater vigilance and rapid responses will be needed."

The panel will provide guidance on topics that span US privacy law, European Union regulations around AI, the EU-US Data Protection framework, and how security pros can best engage with the compliance and rulemaking process.

Continued regulatory uncertainty requires increasingly close collaboration with legal and compliance experts both during preparation, as well as during an actual cyber incident response, Shostack says. He adds the best place for cyber teams to start is with technical standards from the National Institute of Standards and Technology, the Cybersecurity Framework, or the Secure Software Development Framework.