Cybersecurity Regulations: Signals Increasing In Frequency, Intensity - FCC, SEC, NYDFS, and More
1–16–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday January 16th, Martin Luther King, Jr. Day here in the United States, a bank holiday, and a chance to remind ourselves that the arc of justice is long, and our world tomorrow can look and work differently than it does today - if we’re willing to do whatever it takes to make change.
This week’s One Big Thing is the continued signals that cyber regulation is coming - in many cases, is already here - and is going to fundamentally change the equation for many of our businesses.
Let’s dive in.
Regulators Gonna Regulate, A Lot
To be clear, the concept of cybersecurity regulation is not new, nor are many of the regulations themselves.
Indeed, in recent years, I’ve taken to borrowing a phrase from my friend Mike Hamilton that “insurers have become the default regulators.” I think that dynamic is changing, however, as regulators step up to the plate, and insurers alter their own market mechanics.
None of this is exactly new.
What is new, however, is the volume and frequency of the indicators, subtle and not so subtle, coming from regulators in their words and actions.
In the past week alone, we saw an announcement from the FCC regarding their intent to regulate covered entities, details on a law suit from the SEC against a major law firm, and a multi-million dollar enforcement action from the New York Department of Financial Services.
And - there’s more to come from the SEC and from the National Cybersecurity Strategy.
What does it all mean, and how should we position ourselves to ride out these storm clouds, now that we can see them stacking up on the horizon.
This week, the FCC announced a proposal to update their data breach reporting requirements. This proposal would require telecommunications carrier’s (which is actually quite broadly defined as “any provider of telecommunications services”) to notify the FCC, FBI, and Secret Service of all reportable breaches, including inadvertent breaches, that impact “customer proprietary network information."
Now, let’s be clear that this is just a proposal, and that it’s going to go out for comment and take its time to work through the process, but it’s an indicator that the FCC - like other agencies - is looking to both strengthen its position on cyber regulation and disclosure, as well as demonstrate its level of concern for these issues. Keep an eye on this one, as the type of entities that would be impacted by such a regulation - and particularly depending on the definition of a “reportable breach” - could be quite voluminous. Certainly would be a digital intelligence boon for the FBI and Secret Service in terms of their threat intelligence.The FCC isn’t the only one who is demonstrating their seriousness with regards to the issue of disclosure of cybersecurity incidents. This week, the US Securities & Exchange Commission filed suit against major law firm Covington & Burling, looking for details on “nearly 300 of the firm’s clients whose information was accessed or stolen by hackers in a previously undisclosed cyberattack.”
The attack in question was carried out by the Hafnium group, largely attributed to be a threat actor backed by the Chinese government. The SEC is looking for this data in relation to an ongoing investigation around potential securities violations (insider trading and the like), but it’s a pretty serious move to ask an AmLaw 100 firm to disclose something like this.
It’s also worth remembering, as well, that the SEC’s proposed cyber rules around incident notifications for public companies is set to finalize this Spring, meaning we’re likely all going to see more dirty laundry aired.Lest they be outdone, the New York Department of Financial Services has announced a raft of enforcement actions over the past month - aimed largely at insurers. Companies like Chubb, Liberty Mutual, and State Farm have all been hit with fines of $1M for more for non-compliance with regulations, and another insurance agency took a $1.9M settlement for not only being non-compliant, but “improperly” certifying compliance in 2020, and not filing a certificate of compliance in 2018 or 2019.
The point of these actions, of course, is to have other regulated entities look at the fine of $1.9M and decide it’s cheaper to spend $600K to come into compliance (which is most certainly is - and is a better business strategy). I’d look for these enforcement actions to pick up. DFS has already hit Coinbase with a $50M file this year, and required them to invest $50M additional into their compliance program.Finally, all of these regulations and regulatory actions could seem like small potatoes compared to what might be contained in the National Cybersecurity Strategy. There’s a fascinating piece on the Lawfare blog about what might happen if the Strategy - which has yet to be released, and still has no formal timeline as to its release or enforcement mechanics - changes the game in terms of cyber liability.
The Strategy has “proposed to shift liability for insecure software products and services to ‘those entities that fail to take reasonable precautions to secure their software.’” Lawfare calls this idea “truly revolutionary, “risky,” and “ambitious.” And it is.
Fortunately, we have plenty of precedent about liability, and the legal mechanics governing it, but we also have an industry - software - that has become critical to our every day lives that has so far skirted any real impact of liability. Many businesses operate with mountains of liability, so arguments that this would hamper innovation or kill the business are likely to fall on deaf ears.
Indeed, it seems the wheels of government, though turning slowly, are about to require all of us to up our game in terms of cyber defense, reporting capability, and reconsider our position regarding liability. There will be laggards, of course, or those who make the business decision to delay any changes in favor of the “wait and see” approach that has generally been viable with regards to privacy regulations like GDPR and CCPA.
The difference here, however, is that a “wait and see” approach exposes you to the vast threat landscape of ransomware and every other threat actor, and eventually regulators will be the least of your concern. In this instance, wait and see - or, as the kids are saying these days, “fuck around and find out,” is not the road I’d suggest.
Fundraising
We talked last week about “relatively modest” numbers - and here we are one week later putting up nearly 10x what we did last week, with more than $40B in newly committed capital. Sure, some of that came from big new funds for existing firms with long track records, but it’s simply hard to discount the amount of commitment that LPs are continuing to make to the private capital markets.
We’re going to see deal flow pick up significantly in 2023, even as financing environments provide some headwinds. TechCrunch had an article over the weekend about consolidation in FinTech, noting that there were five closed deals last week alone, with acquisitions being made by big players like BlackRock, Fidelity, and American Express - and the trend of capitalizing on a bear market to scoop up valuable technology or talent (or both) will continue. I agree.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you every Monday for Cyber Risk at Deal Speed.
Links
https://www.fcc.gov/document/fcc-proposes-updated-data-breach-reporting-requirements
https://www.jdsupra.com/legalnews/new-york-department-of-financial-7845012/
https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202301041