Friday Five: Upcoming Regulatory Changes, a New Cyber Force, & More

REVAMPED PRIVACY BILL SAILS THROUGH HOUSE SUBCOMMITTEE BY DEREK B. JOHNSON

The House Energy and Commerce subcommittee approved a revised draft of the American Privacy Rights Act (APRA), moving closer to comprehensive federal privacy legislation. The APRA would set baseline data privacy protections and impose restrictions on U.S. businesses' data handling, including key provisions from COPPA 2.0 that enhance protections for minors and teenagers. Despite bipartisan support, lawmakers raised concerns about biometric data collection, algorithmic bias, and the need for clearer definitions. The bill must pass the full House Energy and Commerce Committee, the House, and the Senate before becoming law. Further amendments and negotiations are expected.

Read more

FINANCIAL INSTITUTIONS HAVE 30 DAYS TO DISCLOSE BREACHES UNDER NEW RULES BY DAN GOODIN

The SEC has updated Regulation S-P, mandating financial institutions to disclose security breaches within 30 days of detection. These amendments require broker-dealers, investment companies, advisers, and transfer agents to notify affected individuals and implement policies to manage unauthorized data access. The changes expand protections to include information from other institutions and align safeguards and disposal rules, but notifications are exempt if no significant harm is likely. Despite Commissioner Hester M. Peirce's expressed concerns about potential overreach, the amendments will take effect 60 days after publication, with larger firms having 18 months and smaller firms having 24 months to comply.

Read more

CISOS AND THEIR COMPANIES STRUGGLE TO COMPLY WITH SEC DISCLOSURE RULES BY ROBERT LEMOS

The SEC's new cybersecurity disclosure rules, effective since December, require publicly traded companies to report security breaches within 30 days, influencing how these firms handle incidents with third-party providers. These companies often demand control over incident response and quick materiality assessments from their providers, creating pressure and risks for CISOs. While large firms have established processes, smaller companies struggle to comply, with concerns over job security among security professionals. This regulatory pressure places CISOs at the forefront, facing significant responsibility and legal risks, potentially leading to a revolving door in their positions.

Read more

EPA WILL STEP UP INSPECTIONS OF WATER SECTOR CYBERSECURITY BY CHRISTIAN VASQUEZ

The EPA is ramping up its cybersecurity focus for water utilities, citing a rise in attacks and non-compliance with security measures. Recent incidents, including Russian and Iranian-linked hacks, underscore the vulnerability of U.S. water systems. The agency plans to increase inspections and enforcement actions, urging utilities to conduct risk assessments and develop emergency response plans. Despite legal challenges, the EPA aims to impose cybersecurity mandates, while industry groups advocate for a dedicated federal regulator. Concerns over cyber threats prompted the EPA and White House to reach out to governors, highlighting the urgency of addressing cybersecurity vulnerabilities in water systems.

Read more

CYBER FORCE STUDY GETS ADDED TO HOUSE PANEL’S 2025 DEFENSE POLICY BILL BY DAVID DIMOLFETTA

The House Armed Services Committee advanced a measure to study the creation of an independent Cyber Force military branch, proposed by Rep. Morgan Luttrell. Concerns over the adequacy of current military cyber formations prompted the initiative, with studies highlighting inefficiencies and shortcomings. The proposed Cyber Force, linked to the Army, would address these issues with a dedicated budget and personnel. The measure moves to the House floor for consideration before reaching the Senate. If established, the Cyber Force would follow the Space Force's creation in 2019 but may face challenges such as staffing transitions and potential impacts on existing cyber operations.

Read more