Chicago Business Brace for Impact as New Cybersecurity Regulations Come into Play
For much of the time that the Internet has been around, private companies have been left to their own devices to take care of cybersecurity matters. The assumption was always that these companies would want to clamp down on and prevent cyber threats from taking a swipe at their business in the first place. However, that assumption is no longer enough to skate according to new regulations established by major cities like Chicago.
Government Steps In
One of the reasons why new cybersecurity regulations in Chicago are so notable is that governments have often been slow to act on these types of things. It is often the case that government is one of the last entities to act because many lawmakers feel woefully unprepared for handling the challenges of regulating technology. Many in power do not necessarily have a firm grasp on how new technologies work. Besides that, crafting legislation is a slow process, but the creation of new technologies is not. In short, technology companies can move much faster than the law can keep up with them in most cases. That being said, the government is trying its best to catch up to some of the technological developments that have been taking place as of late.
At the federal level, the following organizations are all working on new regulations:
- Federal Trade Commission
- Food and Drug Administration
- Department of Transportation
- Department of Energy
- Cybersecurity and Infrastructure Security Agency
They are working on trying to get ahead of some of the latest cybersecurity threats. In 2021 alone, 36 states enacted new cybersecurity laws within their borders.
While this is happening, companies ought to take the time to learn about what these regulations are likely to look like and how they can adapt to them in a way that will prove fruitful in positioning themselves in ways where they can remain protected from the worst fallout of these regulations. In other words, companies need to take the time now to build up their defenses against whatever regulators want to throw at them.
Is Greater Transparency Around the Corner?
Something interesting about cybersecurity that many don’t realize is that transparency is not at the core of much of the legislation enacted. Most of the legislation passed before has responded to a specific cybersecurity incident. Still, it hasn’t necessarily forced the hands of companies to try to push them to be more proactive about their reporting of attacks. Instead, it has been commonly understood that companies need to report when personal information is stolen in an attack. Still, they are not necessarily required to report an attack in which no personal information was stolen.
The McKinsey Institute reports that certain new pieces of legislation will make it more challenging for companies to keep security hacks under wraps as they used to:
…the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, will require critical infrastructure companies,1 including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).
However, some companies view this as a chance to be more transparent about what has occurred within their organization. Right now, some companies feel like they are being singled out if they voluntarily report cybersecurity incidents that occur within the company. They may be singled out for ridicule or even worse. Thus, many companies have taken a posture of hiding the security threats they have faced to keep themselves protected and covered as best as possible.
If all companies are forced to report incidents in the same way, then there may not be as much stigma about a particular company reporting an incident as there might have been in the past.
How Can Companies Adapt Right Now?
Company leaders pour over the laws as they are released to see what they need to do to remain compliant. It is wise to keep tabs on things like this to see what needs to be done to ensure the company remains within good standing with the law. At the same time, there are some other measures that one may choose to take to keep themselves in the law’s good graces as one moves forward.
Keep Ransomware Up to Date
A healthy portion of the new regulations revolve around ransomware attacks and reporting those attacks to the proper authorities. Companies will soon be required to be much more diligent about making those reports and notifying the public when something goes wrong. Thus, it is now the time to review ransomware software and ensure that yours is all up to date. Failure to do so could result in a reportable attack.
Vet Your Digital Supply Chain
Every information that passes through your digital supply chain comes from somewhere. It is best to know the precise way it moved through your workflow if you want to ensure that you never lose touch of where your materials are coming or going. Thus, it may be a good time right now to check on your digital supply chain and see where there are any potentially troubling areas.
Get Procedures Up to Date
Protecting a company’s data and information must remain a top priority. An excellent way to make this happen is to ensure your procedures are up to date for the modern world. This means following how various laws are moving through state capitols around the country. It may even be wise to hire someone whose job it is to monitor the progress of various state laws as they relate to cyber security. Staying up to date with those laws and regulations is of the utmost importance.
These are a few things that everyone needs to know about when it comes to cybersecurity and how the rules and regulations around cybersecurity are changing rapidly. If you haven’t reviewed your procedures in some time, it is time to do so. For more information about the direct impacts of this Chicago law, don’t hesitate to contact us for the latest information.