CIOs play a role in responding to cybersecurity regulations

Top 5 cybersecurity regulation requirements

While cybersecurity regulations overlap in multiple areas, Madnick said five requirements in particular affect CIOs.

1) Software bill of materials

A software bill of materials (SBOM) is a comprehensive inventory of components used in various products, Madnick said. Legislation such as the National Defense Authorization Act for Fiscal Year 2023 mandates that any business working with the Department of Defense or the Department of Energy must present such a list for every new contract. In Europe, the Cybersecurity Act makes a similar requirement.

Madnick cited the Log4j situation as an example of how an SBOM list could be helpful. Log4j is an embedded open source software component that was discovered to have multiple vulnerabilities that resulted in widespread cyberattacks. In light of the vulnerabilities, CIOs and business leaders were forced to decipher their systems to determine if Log4j was embedded within the layers of their software products.

"Many companies didn't know they had it because they personally had never acquired Log4j," Madnick said. "What they had acquired was an accounting system, for example, and they didn't realize the developers of those accounting systems had installed Log4j as part of its components."

2) Secure by design

Secure by design means implementing cybersecurity measures at the beginning of the product design process rather than adding them on at the end, which Madnick said is a significant challenge for businesses that don't operate that way. But cybersecurity regulations like the California IoT Act require device manufacturers to implement reasonable security features throughout the product's design.

Madnick said thinking about cybersecurity at the beginning would help protect businesses in the long term not only from running afoul of regulations, but from other issues down the road.

"Tacking it on after the fact is not always easy to do," he said. "In some cases, it almost requires you to disassemble and redesign the entire product."

3) Prohibition on ransomware payments

A ransomware attack occurs when cyberattackers lock down or steal a company's data and require payment to return or unlock it. However, Madnick said multiple U.S. state regulations, including in North Carolina, prohibit businesses from paying ransomware demands in an effort to discourage ransomware attacks by making them unprofitable for attackers.

Some businesses include ransom payments in corporate policies or negotiate with insurance companies to determine whether ransomware attacks will be covered, but Madnick said CIOs will need to consider "what is your corporate policy" and "how does your corporate policy relate to the various regulations out there."

4) Data governance

CIOs must pay attention to data rules, including what data can be collected, how long it can be kept and how it is protected. Multiple U.S. states have passed laws governing data privacy, and the GDPR serves as the EU's primary data governance legislation.

"There's a whole range of issues in data governance," Madnick said. Safeguarding data is an important issue in every company, he added.

5) Incident reporting

Required cybersecurity incident reporting is a new development for most businesses, Madnick said. Until recently, it wasn't a requirement unless a cybersecurity incident involved the release of personal information. He said incident reporting is a "very active area for regulations."

For example, the SEC's new cybersecurity rules require businesses to report cybersecurity incidents with material impact on a company's financial condition or business operations within four days of the incident.

Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.