Key Cyber Policy Updates All Board Members Should Act on in 2024

New cyber incident reporting mandates and cyber policy regulations will keep cybersecurity professionals busy in 2024. But with CEOs and senior execs increasingly found personally liable, this advisory is for them, says Katharina Sommer

When it comes to cybersecurity, responsibility for meeting governmental and regulatory requirements doesn’t lie solely with IT teams and CISOs. CEOs and senior executives can be found personally liable in a cyber incident, facing fines and, in some cases, even a criminal conviction. So, it’s essential that all board members make cybersecurity a priority – especially as new and more stringent policy and legal changes are set to be implemented around the world this year.

While political upheaval may have delayed some reforms in some countries, cyber rules for critical infrastructure continue to be tightened and more widely applied worldwide.

The Cyber Assessment Framework

Focusing on the UK, the Cyber Assessment Framework (CAF) continues to be rolled out across existing regulated sectors, from transport to healthcare. While the UK government previously announced updates to NIS regulations, extending the requirements to new industries like energy flexibility providers and managed service providers, these legal reforms have been put on the back burner as a General Election looms, a trend we can expect to see worldwide as 40 countries head to the polls this year.

Cyber Governance Code of Practice

In lieu of new cyber laws, the UK is focusing on alternative ways to drive up cyber resilience, like government procurement and voluntary measures. This includes a new voluntary Cyber Governance Code of Practice to formalise the government’s expectation of company directors managing cyber risk. In the EU, we are waiting to see whether crucial laws such as the Cyber Solidarity Act, AI Act, and Cyber Resilience Act will be enacted before the June elections.

“Incident reporting requirements are also set to tighten over the coming months”

Cyber watchers will also want to keep an eye out for changes following the elections. We expect the broad trend toward the greater regulation of cybersecurity to be reflected across new governments’ policy programmes – with strengthened cybersecurity requirements supported across the political divide in most jurisdictions.

Partially reflective of increased critical infrastructure regulation, incident reporting requirements are also set to tighten over the coming months.

The Australian Government has announced plans to introduce a mandatory ‘no fault, no liability’ ransomware reporting obligation, to improve its understanding of ransomware and cyber extortion trends. The government plans to work with industry to co-design possible options for legislation.

Cyber Incident Reporting for Critical Infrastructure Act

US agency CISA has confirmed that it will publish the Notice of Proposed Rulemaking (NPRM), covering how it will implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) by Spring 2024. Meanwhile, the SEC’s new incident reporting rules covering material breaches took effect in December 2023 for larger public companies, while smaller registrants will have to comply from June 2024. The new rules also put company boards firmly in the spotlight, with annual reporting obligations including the requirement to disclose a board’s cybersecurity expertise and oversight of cyber risks.

DORA

Finally, the EU’s NIS2 Directive and DORA introduce enhanced reporting requirements for critical entities that include a new three-tier reporting system: an ‘early warning’ within 24 hours of becoming aware of the incident; an ‘incident notification’ within 72 hours, providing an initial assessment of the incident’s severity, impact and indicators of compromise; and a ‘final report’ within one month covering a detailed description including the incident’s root cause. We may see more detail on how the new three-tier reporting system will be implemented over the coming months as member states publish and pass regional laws transposing the directive.

Cyber Resilience Act

While countries worldwide seek to improve the cybersecurity of connected devices that their citizens rely on daily, all eyes will be on the EU’s Cyber Resilience Act (CRA), which, amid some opposition by the security community, is set to be adopted shortly. The new law will introduce cybersecurity requirements for a significant proportion of hardware and software sold into the EU, covering risk assessments, vulnerability handling processes, and incident reporting.

Once adopted, manufacturers and developers will have 36 months to adapt to the new requirements, except for a more limited 21-month grace period in relation to the reporting obligations. This comes as the European Commission has adopted the regulation for the (currently) voluntary Common Criteria-based cybersecurity certification scheme (EUCC).

The bottom line

Amidst the increasing complexity of regulatory requirements and government policies globally, senior executives are well advised to use regulatory and policy insights to inform sustainable cyber investments and avoid fragmented decision-making on security programmes and initiatives. Further rules are looming, and boards and senior decision-makers cannot delay acting until compliance deadlines are imminent. Early planning and getting ahead of the curve will pay dividends through better-aligned and future-proofed security investments.

Equally, and this cannot be emphasised enough, while regulatory compliance should drive good cyber security investments and outcomes, compliance alone does not equal good security. It’s crucially important that all board members understand this difference to allow their organisations to thrive in a more secure digital future.