In 2023, governments worldwide unveiled a series of strategies and regulations for cybersecurity. These initiatives represent a significant change in how it is approached and managed, especially in software development and corporate governance. The Government’s expectation is clear: software providers must improve their security protocols to prevent cyber attacks and mitigate their implications for global security.
Let’s delve into the key cybersecurity strategies and guidelines that have emerged in this year:
- White House National Cybersecurity Strategy
- SEC New Rules
- Security by Design
- AI Regulamentations
- Healthcare Sector Response
White House National Cybersecurity Strategy
In March 2023, the U.S. White House unveiled its National Cybersecurity Strategy, which aims to shift liability for cybersecurity onto software products and services. Software companies are going to shoulder more liability for the security of their products (and customers) than ever before, and your organization’s risk register needs to reflect this.
This move is a game-changer because it puts the onus on software companies to ensure their products are secure. It’s a clear message: security can’t be an afterthought in software development.
SEC’s New Cybersecurity Rules
The Securities and Exchange Commission (SEC) adopted the final rules regarding cybersecurity disclosure. This development underscores the escalating importance of cybersecurity in corporate governance and risk management.
Now, public companies must disclose material cybersecurity incidents promptly. A noteworthy aspect of this regulation is the requirement for these disclosures to be made within a tight four-business-day window.
Implementing this “four-day rule” is a transformative step for cybersecurity reporting. It ensures swift public breach disclosures, significantly reducing response times.
Case Study: SolarWinds and the SEC Charges
A Wake-Up Call for Application Security. On October 30, 2023, the SEC filed charges against software company SolarWinds and its chief information security officer, Timothy Brown, for cybersecurity lapses.
This action stems from a prolonged compromise of SolarWinds’ Orion product, highlighting the severe repercussions of neglecting cybersecurity. This case serves as a stark reminder of the heightened responsibilities and risks facing software security leaders today.
SECURE BY DESIGN
In collaboration with international partners, the Cybersecurity and Infrastructure Security Agency (CISA) has renewed the “Secure by Design” initiative. The updated program expands its reach with insights from eight new international agencies focused on establishing a global standard for software security.
The initiative advocates integrating security considerations into the fundamental design of software products, emphasizing the need for security to be a primary concern and not an afterthought. Moreover, to defend transparency and ownership of security processes in software companies.
Artificial Intelligence (AI) has been at the forefront of innovation across various sectors. Acknowledging AI’s significant impact, President Biden issued an executive order to integrate AI safely into national cybersecurity strategies. This order sets the stage for a comprehensive framework ensuring AI’s security.
“The executive order balances optimism about the potential of AI with considerations of risk, privacy, and safety from using such systems if unmonitored. The executive order stresses the need for existing agencies and bodies to come together and provides a directive for these organizations to formulate cohesive tools to understand AI systems better and create oversight.” - Sreekanth Menon, Global AI/ML Services Leader at Genpact.
Further solidifying this initiative, CISA and the UK National Cyber Security Centre (NCSC) have introduced joint guidelines for secure AI system development, with endorsements from 23 cybersecurity organizations. These guidelines advocate for ‘Secure by Design’ principles, emphasizing security ownership, transparency, and prioritizing secure design in organizational structures.
Healthcare Sector Response
The U.S. Food and Drug Administration (FDA) published an extensive premarket cybersecurity guidance for medical devices. It addresses the dynamic and evolving nature of cybersecurity threats in the medical device industry, emphasizing the need for proactive and robust cyber defense mechanisms.
In a parallel development, The U.S. Department of Health and Human Services (HHS) has outlined its cybersecurity strategy for the healthcare sector. This approach aligns with the national strategy initiated by President Biden and includes proposals for new cybersecurity requirements for healthcare providers, particularly those associated with Medicare and Medicaid.
The strategy also focuses on setting healthcare-specific cybersecurity performance goals and collaborating with Congress to incentivize cybersecurity improvements in domestic hospitals.
Future Trends in Cybersecurity Regulations
As we look toward the future, the landscape of cybersecurity regulations is expected to evolve rapidly, influenced by technological advancements and emerging threats.
“The trend of increasing government regulation around cybersecurity, particularly the focus on Software Bill of Materials (SBOM), is expected to continue from 2023 into 2024. This regulatory push is raising awareness about software components and their associated vulnerabilities.” - Kelly West, Mergebase’s CTO.
“Right on the one hand, the environmental pressures basically mean more effort has to be put into cybersecurity. At the same time, there’s potentially a budget crunch. But then, with the shift to platform security, there’s an opportunity for companies to deal with these issues more efficiently, and especially to get the kind of basics in place as a step towards to the regulatory pressures around SBOM.” - Oscar van der Meer, Mergebase’s CEO
What Does This Mean for You?
The regulations and guidelines introduced in 2023 have redefined the cybersecurity landscape. These strategies are designed to thwart security breaches and minimize the ripple effect of cyberattacks on national security. It’s no longer a ’nice to have’ – it’s a ‘must-have.’
Software vendors will be held accountable for cybersecurity breaches. A robust adaptation of cybersecurity policies and practices is essential to comply with evolving regulations and avoid severe legal and financial consequences. This adaptation should focus on risk management, compliance, and proactive defense strategies.
It is now imperative for all software supply chains to stay informed, adapt to these changes, and prioritize robust cybersecurity measures.
Enjoy the ease and assured compliance. MergeBase’s cutting-edge approach to SBOM management transforms compliance from a complex task into an integrated part of your workflow. This approach keeps you ahead of the curve with proactive vulnerability detection and risk management. It simplifies adherence to current regulations and facilitates easy adaptation to future changes, ensuring your organization consistently aligns with the latest regulatory requirements.