The goal is to raise baselines for everyone so that organizations are all on a level playing field, eliminating weak spots. “It’s executing new regulations to raise those minimum items for security baselines, but it’s also harmonizing the regulations that currently exist,” Walden said. “It is inefficient to ask companies to prove that they are meeting their cybersecurity requirements or cybersecurity baselines over and over again, and then check the box and then do it in a discordant way.”
Most software is insecure
One core factor in why cybersecurity incidents happen, according to Anne Neuberger, deputy national security advisor for cyber and emerging technology, National Security Council, is that most software is insecure. “Software isn’t built securely. It’s deployed quickly and there are no requirements for software standards,” she said, which is why five months after President Biden assumed office, he issued a comprehensive executive order that requires secure software development, mainly by mandating them in federal government contract requirements.
“It’s a really powerful tool that we haven’t used well before,” Neuberger said. “We will require that any tech we buy–and companies and government agencies are all buying the same email software, word processing software, etc.–must meet particular standards.”
One looming danger that can threaten cybersecurity resilience is artificial intelligence (AI), which, despite offering many societal benefits, can be used to accelerate malware delivery, Neuberger said. “From a cybersecurity perspective, we have seen adversaries use AI to generate malicious code more rapidly, to more rapidly generate polymorphic code that can adjust and make it harder for a lot of our cybersecurity techniques today to detect,” Neuberger said. Although the administration has yet to introduce actions that address this threat, “the White House has a very accelerated policy process that we’re working through to determine what the president can do and what areas we’re working on do we need to work on with the Congress.”
Organizations need to implement real cyber resilience policies
“Cyber resilience is a concept that I think recognizes that breaches and cyber incidents are likely going to happen and that firms need to be prepared to respond appropriately when they do,” Gurbir Grewal, director, Division of Enforcement, at the Securities and Exchange Commission (SEC) said. “It’s not a matter of if but rather when. This is certainly true in my world where SEC registrants such as public companies, broker-dealers, and investment advisors possess an incredible amount of electronic data about innumerable entities and individuals.”
Although market participants are doing their best to prevent and respond to cyber incidents, “Firms need to have real policies that work in the real world, and then they need to actually implement those policies,” Grewal said. “Having generic check-the-box, off-the-shelf cybersecurity policies simply doesn’t cut it.”