Skip to main content
Top Button
Ice Miller Cybersecurity Law Snapshot: February’s Federal Regulatory Rollout Ice Miller Cybersecurity Law Snapshot: February’s Federal Regulatory Rollout

Ice Miller Cybersecurity Law Snapshot: February’s Federal Regulatory Rollout

February brought a legislative and regulatory blitz from the federal government, with an array of new cybersecurity guidance and proposed rules aimed at reinforcing security. From NIST software labeling guidelines to the SEC’s proposed 24-hour reporting requirements, this Snapshot provides a brief overview of potential cybersecurity rules and obligations coming in 2022.

NIST Issues New Guidance on Software and IoT Security and Labeling

In response to President Biden’s Executive Order on “Improving the Nation’s Cybersecurity, ” NIST issued a variety of guidance documents on February 4 to strengthen software security and develop consumer-facing security labels for software and IoT products. Among this guidance was the Secure Software Development Framework (SSDF) meant for designing and maintaining secured software by addressing security issues earlier in the development process to reduce costs, increase production efficiency, and enhance security. The SSDF provides organizations with high-level goals divided into four groups: Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities. A few of the SSDF’s recommended practices include strengthening access controls, creating software integrity verification procedures, verifying third-party security compliance, and implementing ongoing risk response and analysis.

NIST also issued labeling guidance for both consumer software and consumer Internet of Things (IoT) products. Rather than designing a specific label, NIST developed a set of desired outcomes with adjustable implementation requirements based on the risk posed to the product or software. At this time, NIST is recommending the use of binary labeling (a single label indicating a product has met a minimum baseline) deployed in a layered approach (consumers can easily access additional information online via a hyperlink or QR code). Label language should target non-expert, home users and be designed to maximize consumer education. Accordingly, the guidance requires a range of public-facing disclosures, such as disclosing how the data is protected, how the software is updated, how long the software is supported, how cybersecurity incidents are detected, and the documentation of standards used for development.

SEC Proposes Cybersecurity Rules for Investment Industry

On February 9, the SEC released its new cybersecurity rules for the investment management industry, proposing new compliance and disclosure obligations rooted in an investment industry’s fiduciary duty to minimize cybersecurity risks. The SEC underscored that the rules are a flexible model that allows for businesses to tailor their cybersecurity procedures based on individual operations, organizational complexity, and anticipated risks. In the proposed rule, the SEC focused on five main categories:
  • Risk Management Policies & Procedures
    • Requires risk assessments that review each component of an information system, the information therein, and the overall impact of a cybersecurity incident.
    • Encourages funds to adopt an array of new cybersecurity use and access procedures.
  • Incident Reporting Obligations
    • Requires written documentation of any cybersecurity incident, including a summary of an entity’s response and recovery.
    • Creates the Form ADV-C, which must be submitted to the SEC for any “significant advisor/fund cybersecurity incident” within 48 hours after there is a reasonable basis to conclude an incident has occurred or is occurring.
  • New Required Disclosures
    • Amends multiple disclosure forms, such as the Form ADV Part 2A, to require disclosure of cybersecurity risks and incidents to the fund or its service providers, market participants, potential clients, and certain fund registration entities.
    • Mandates disclosure of any risk that could materially affect the fund’s services alongside a description of how they will respond to each risk.
  • Annual Review & Oversight
    • Mandates, at least once a year, a review and evaluation of all cybersecurity policies and potential risks, with a written report submitted to the fund’s board for review and approval.
  • Extended Recordkeeping
    • Establishes a five-year retention period for all copies of: (i) cybersecurity policies currently/formerly in effect; (ii) annual review reports; (iii) any filed Form ADV-C; and (iv) any records related to any cybersecurity incident or risk assessment.

The Senate Eyes 72-Hour Cybersecurity Incident Reporting for Critical Infrastructure

In response to certain cybersecurity reporting provisions being removed from the 2021 NDAA, a bipartisan group of legislators have released the more-focused Strengthening American Cybersecurity Act of 2022. Notably, Title II of the Act implements new rapid reporting requirements for the sixteen identified critical infrastructure sectors. [1] Covered entities would be required to report cyber incidents to CISA no later than 72 hours after an event is “reasonably believed” to have occurred and within 24 hours of any ransomware payment being made. The reporting obligations, however, do not cease after these initial disclosures; instead, organizations are also required to promptly submit supplemental reports until the incident has been fully mitigated and resolved. Once CISA has received these reports, it must keep the information confidential and limit the information’s use to assist in identifying, developing, and disseminating attack indicators and defensive measures to the impacted sectors.

Connect with Ice Miller Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies to navigate and comply with federal cybersecurity laws and regulations, as well as taking advantage of cybersecurity-related procurement opportunities. Our team includes Guillermo Christensen, managing partner of the firm’s Washington D.C. office and former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on federal procurement cybersecurity laws and regulations; Angad Chopra, a Certified Privacy Professional and associate in Ice Miller’s Data Security and Privacy Group; and Dakota Coates, an associate in Ice Miller’s Litigation Group.

[1] The critical infrastructure sectors are designated in Presidential Policy Directive 21.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
View Full Site View Mobile Optimized