Most chief compliance officers (CCOs) are not technology experts, just as chief information security officers (CISOs) are not regulatory compliance experts. But as a strategic partnership, these two functions play an invaluable role in protecting against cybersecurity risks.
The need for CCOs and CISOs to foster a collaborative relationship has become even more important following the White House’s March 2023 release of its National Cybersecurity Strategy, which has put national regulatory focus around the safety and security of the entire U.S. digital ecosystem.
The strategy, in part, calls for “modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation.” As these regulatory efforts continue to develop, they will necessarily require Compliance and IT teams to work together with the business to come up with a joint cybersecurity risk management strategy.
Critical infrastructure cybersecurity developments
As part of recent efforts in this area, the House Energy and Commerce Committee held a hearing May 16, in which heads of the Department of Health and Human Services (HHS), Environmental Protection Agency (EPA), and Department of Energy (DoE) assembled to discuss how critical infrastructures are protecting against increasing cyber threats.
During the hearing, the importance of developing public-private sector partnerships was a common theme. In the energy sector, for example, private companies own and operate the majority of the U.S. critical energy infrastructure, said Puesh Kumar, director of the DoE’s Office of Cybersecurity, Energy Security, and Emergency Response. “It is crucial that lines of communication between the federal government and these companies remain open and that we approach risk management for the sector with a sense of shared responsibility,” he said.
Brian Mazanec, deputy director at the HHS Administration for Strategic Preparedness and Response, also stressed the importance of public-private sector partnerships in his testimony. As part of this effort, there are several resources aimed at helping the healthcare sector build cyber resilience. These include the Health Industry Cybersecurity Practices, the Hospital Cyber Resiliency Initiative, and the Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide.
Additionally, the Food and Drug Administration (FDA) has imposed new cybersecurity requirements on medical-device makers for the premarket submission of “cyber devices.” Under the newly added Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act), medical-device makers must describe how they plan to “monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits.” They must also “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems.”
Cybersecurity disclosure requirements
Critical infrastructure sectors also will soon face new cybersecurity disclosure requirements. Mandated under the “Cyber Incident Reporting for Critical Infrastructure Act” (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) is currently developing regulations that will require critical infrastructures to report cyber incidents or ransom payments to CISA.
The Securities and Exchange Commission (SEC) is another agency weighing proposed rules “to enhance and standardize disclosures regarding cybersecurity risk management strategy, governance, and cybersecurity incident reporting by public companies.”
The SEC’s proposed rules would require the reporting of “material” cybersecurity incidents and periodic disclosures about “policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.” Updates would also be required on previously reported cybersecurity incidents.
There also have been developments pertaining to cybersecurity disclosure obligations in the financial services industry. Last year, the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC) issued a final rule requiring “banking organizations” and “bank service providers” to notify their primary federal regulator of any “computer-security incident.”
This notification must occur “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” According to the final rule, examples of a “notification incident” include a “large-scale distributed denial-of-service attack that disrupts customer account access for an extended period of time and a computer hacking incident that disables banking operations for an extended period of time.”
One thing is for sure, the partnership opportunities between CCOs and CISOs are myriad, ever evolving, and should be tailored to each organization’s unique cybersecurity needs and regulatory requirements.
Cybersecurity best practices: An evolving journey
The cybersecurity initiatives mentioned above speak to just a few regulatory developments currently in proposed form, or that are already in effect. As cyber threats proliferate and cyber criminals become more sophisticated in their attacks, cybersecurity best practices will no doubt have to evolve as well, as will the strategic partnership between CCOs and CISOs.
While CCOs are responsible for structuring and enforcing compliance with cybersecurity policies, breach response procedures, and disclosure requirements, these regulatory obligations cannot be achieved without fully and transparently understanding the data security and cybersecurity efforts being undertaken by the IT team.
Along these lines, there are many opportunities for CCOs and CISOs to work together. For example, compliance can alert IT teams to any new cybersecurity disclosure obligations – such as those required by CISA or the SEC – and how to report a cybersecurity incident up the chain of the command. CCOs and CISOs can also work together to craft cybersecurity best practices both within their own organizations, as well as for third parties concerning what their obligations should be for responding to a cyber event, and their notice and disclosure obligations around that.
One thing is for sure, the partnership opportunities between CCOs and CISOs are myriad, ever evolving and should be tailored to each organization’s unique cybersecurity needs and regulatory requirements.
To learn more about how NAVEX supports organizations with a holistic governance, risk and compliance information system (GRC-IS):