kras99 - stock.adobe.com

CIOs play a role in responding to cybersecurity regulations

CIOs will need to pay attention to cybersecurity regulations that often include multiple requirements for businesses to maintain safe and secure IT systems.

As cyberattacks against businesses and other organizations continue to increase each year, governments globally are responding with cybersecurity regulations that affect CIOs.

MIT tracked a 20% increase in data breaches from 2022 to 2023 and is following more than 170 regulations mandating cybersecurity requirements for businesses, said Stuart Madnick, a professor of information technology at MIT. Madnick spoke during the 2024 MIT Sloan CIO Symposium.

Cybersecurity regulations stem from multiple entities in the U.S., including the White House, Congress, 36 state governments, the Federal Trade Commission and the Securities and Exchange Commission (SEC), as well as government entities in other countries. Most of those regulations affect IT systems, Madnick said.

Regulations typically do not focus on a single issue. Indeed, in assessing cybersecurity regulations, Madnick said there are at least 18 requirements that the rules consistently ask companies to implement. These can serve as a blueprint for CIOs looking to stay abreast of compliance and prepare for cyberthreats.

The penalties, publicly and financially, of violating these regulations can be substantial.
Stuart MadnickProfessor of information technology, MIT

"Many of these regulations cover multiple areas," Madnick said. The penalties, publicly and financially, of violating these regulations can be substantial."

Top 5 cybersecurity regulation requirements

While cybersecurity regulations overlap in multiple areas, Madnick said five requirements in particular affect CIOs.

1) Software bill of materials

A software bill of materials (SBOM) is a comprehensive inventory of components used in various products, Madnick said. Legislation such as the National Defense Authorization Act for Fiscal Year 2023 mandates that any business working with the Department of Defense or the Department of Energy must present such a list for every new contract. In Europe, the Cybersecurity Act makes a similar requirement.

Madnick cited the Log4j situation as an example of how an SBOM list could be helpful. Log4j is an embedded open source software component that was discovered to have multiple vulnerabilities that resulted in widespread cyberattacks. In light of the vulnerabilities, CIOs and business leaders were forced to decipher their systems to determine if Log4j was embedded within the layers of their software products.

"Many companies didn't know they had it because they personally had never acquired Log4j," Madnick said. "What they had acquired was an accounting system, for example, and they didn't realize the developers of those accounting systems had installed Log4j as part of its components."

2) Secure by design

Secure by design means implementing cybersecurity measures at the beginning of the product design process rather than adding them on at the end, which Madnick said is a significant challenge for businesses that don't operate that way. But cybersecurity regulations like the California IoT Act require device manufacturers to implement reasonable security features throughout the product's design.

Madnick said thinking about cybersecurity at the beginning would help protect businesses in the long term not only from running afoul of regulations, but from other issues down the road.

"Tacking it on after the fact is not always easy to do," he said. "In some cases, it almost requires you to disassemble and redesign the entire product."

3) Prohibition on ransomware payments

A ransomware attack occurs when cyberattackers lock down or steal a company's data and require payment to return or unlock it. However, Madnick said multiple U.S. state regulations, including in North Carolina, prohibit businesses from paying ransomware demands in an effort to discourage ransomware attacks by making them unprofitable for attackers.

Some businesses include ransom payments in corporate policies or negotiate with insurance companies to determine whether ransomware attacks will be covered, but Madnick said CIOs will need to consider "what is your corporate policy" and "how does your corporate policy relate to the various regulations out there."

4) Data governance

CIOs must pay attention to data rules, including what data can be collected, how long it can be kept and how it is protected. Multiple U.S. states have passed laws governing data privacy, and the GDPR serves as the EU's primary data governance legislation.

"There's a whole range of issues in data governance," Madnick said. Safeguarding data is an important issue in every company, he added.

5) Incident reporting

Required cybersecurity incident reporting is a new development for most businesses, Madnick said. Until recently, it wasn't a requirement unless a cybersecurity incident involved the release of personal information. He said incident reporting is a "very active area for regulations."

For example, the SEC's new cybersecurity rules require businesses to report cybersecurity incidents with material impact on a company's financial condition or business operations within four days of the incident.

Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Dig Deeper on Risk management and governance