With supply chain disruptions making top news since the start of the pandemic - not to mention a spike in ransomware attacks - both US and EU governments have taken several concrete measures over the last couple of years towards shoring up cybersecurity in both the public and private sectors.
While some measures hold significant weight, others are either proposals or simply signal to companies that a vulnerable supply chain will be less permissible in the coming months and years. Still, as a procurement and supply chain leader, it’s critical to understand the direction of legislative trends in regards to regulatory compliance.
We’ve rounded up a few key bills, proposals and new legislation that speak to the renewed push for better cybersecurity and an overall safer supply chain.
At the height of the pandemic and on the heels of recent ransomware attacks, President Biden issued an executive order in February 2021 detailing the need for more resilient and secure supply chains. While the order outlined a myriad of guidelines and demands, such as risk reporting and heightened production for key goods and materials, it also underscored the importance of strong, standardized cyber defenses. Less prescriptive than strategic, the executive order put cybersecurity on the map as a key risk domain for supply chain leaders to prioritize.
Almost a year later, the National Academy of Public Administration released their report commissioned by the Cybersecurity and Infrastructure Security Agency (CISA) that attempted to address concerns around the state of CISA and other federal cybersecurity workforce programs, how CISA could meet the country’s growing cybersecurity workforce needs, and the effectiveness of current programs on cybersecurity governance across the public and private sectors. Among other findings, the report found that the federal government “lacks a comprehensive, integrated government-wide strategy for developing a national cybersecurity workforce.”
The report was less actionable for private sector leadership, but it still continued the momentum for more robust oversight of an important national challenge.
The Cyber Incident Reporting Act, part of the Strengthening American Cybersecurity Act, was signed into law in March 2022. Addressing concerns on a number of recent cyber attacks within both public and private sector organizations - such as Colonial Pipeline and the 2020 SolarWinds hack impacting the federal government - the bill requires that organizations in critical infrastructure sectors - including, but not limited to, energy, industrial defense, critical manufacturing, financial, and emergency services - to report certain cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. It also expands CISA’s role in governance and rule-making among federal agencies.
Around the same time, the SEC also released their own set of proposed rules around public company disclosure of cyberattacks. The rules would require reporting within 4 days - rather than 72 hours - of a cyberattack. But it would also mandate regular reporting on cyber risk management plans.
Most recently, this past June, two additional cybersecurity bills were passed as well. While they are aimed at government sectors, they still detail necessary infrastructure and accountability improvements to be made and potentially mirrored for private firms as well. The State and Local Government Cybersecurity Act of 2021 is designed to improve coordination between CISA and state, local, tribal, and territorial governments. It also increases the role of the Department of Homeland Security (under which CISA lives) to conduct periodic exercises and training with state and local governments to assess and shore up cyber defenses.
The Federal Rotational Cyber Workforce Program Act of 2021 was also passed in June, signaling a commitment to continuously educate and utilize best-in-class security practices within the federal government. US government employees will be allowed to rotate through job roles across agencies, with the intention of enhancing expertise and even allowing the federal government to compete more so in the private sector for top talent. While the act doesn’t directly impact compliance-related efforts conducted by private firms, it does reiterate the need for expertise and high quality resources at the national level.
The EU has also kept busy with strengthening global supply chains via enhanced cybersecurity, one of the more notable steps being a new draft law released in May. The Network and Information Systems Directive, or commonly referred to as NIS2, would tighten companies’ cybersecurity obligations, specifically in regards to reporting requirements and disclosures, and all member states would have to comply. While the second version was proposed in 2020 - on the heels of the original 2018 regulation - the updated provisional agreement would have a wider scope of enforcement and close up interpretation loopholes that became apparent in the 2018 law. Specifically, more information sharing between EU member states and private sector firms would be mandated, particularly within key industries outlined in the bill.
From the growth of the ransomware-as-a-service industry to seemingly nonstop global supply chain hurdles, governments and large firms are feeling the pressure to protect themselves from cyber criminals and organizations. But new compliance and regulations are only effective if companies have the supplier intelligence tools to implement them. After all, gauging cybersecurity threats requires input from a variety of supplier risk domains and metrics - some of which are within an information security department’s purview and some of which are not. Hence, innovative intelligence tools and ongoing collaboration between procurement, information security, legal and leadership teams is paramount to not only comply with laws but protect companies from attack.