Remediation planning within a binding operational guideline. Cybersecurity of bulk electrical power systems. SEC Regulatory Systems Compliance and Integrity.
In one look.
- Remediation planning within a binding operational guideline.
- FERC can introduce regulations for cybersecurity of bulk power systems.
- The SEC can extend the compliance and integrity of regulatory systems.
Developed a remediation plan for the agency in accordance with President Biden’s binding operational directive.
A binding operational directive issued in November by the White House provided federal agencies with two new tools to help protect their data systems from intrusion: a catalog of critical vulnerabilities known by the Cybersecurity and Infrastructure Security Agency (CISA) to be exploits, and a set of requirements that all federal agencies must adhere to in order to protect against these vulnerabilities. That said, it is up to each agency (and their third-party service providers) to develop a remediation plan that will incorporate these requirements. Dark Reading recommends that a robust plan identifies third-party risks to ensure connected systems do not expose sensitive data to attack. Systems must also be regularly monitored in real time so that in the event of an intrusion, the response can be immediate. Employee training to help staff identify and avoid potential threats is also essential, and updating systems regularly will ensure that available patches are used.
FERC is considering new regulations to defend bulk power systems.
With the recent wave of cyberattacks affecting critical infrastructure (see: Solar Winds incident), SC Magazine reports that new regulations are being considered by the US Federal Energy Regulatory Commission (FERC) that would require system operators Mass Electrical (BES) to implement internal network security monitoring. The North American Electric Reliability Corporation will be tasked with developing updated reliability standards for high- and medium-impact systems, which until now have focused primarily on securing the grid perimeter. In a notice of the proposed rule last week, FERC said, “Based on the current threat environment…the requirement for [internal network monitoring] that augments existing perimeter defenses is essential to increasing network visibility so that an entity can understand what is happening in its CIP network environment, and thus improve its ability to detect potential compromises in a timely manner. Monitoring tools could help BES operators determine baseline network behavior to better detect network intrusions and malicious activity. FERC is also seeking public input on whether the directive should also cover cybersecurity standards for low-impact BES systems.
SEC chief suggests expansion of Rec SCI.
During a keynote address at Northwestern Pritzker School Of Law’s 2022 Securities Regulatory Institute, Gary Gensler, Director of the U.S. Securities and Exchange Commission (SEC), discussed expanding the Regulatory Compliance and Integrity Systems Commission, or Reg SCI. Bloomberg explains that RegSCI was created in 2014 to give the SEC greater oversight of the technology supporting US trading systems, and Gensler indicated that it might be time for some changes. “The primary goal of Reg SCI was to reduce the occurrence of system issues and improve resiliency when they do occur,” Gensler said. “A lot has changed, however, in the eight years since the SEC adopted Reg SCI.” He suggested adjustments to breach notification requirements, disclosure of cybersecurity practices, and regulations for third-party service providers. ThinkAdvisor adds that Gensler has urged investment firms and advisers not covered by Reg SCI to work on their cyber hygiene to ensure they are in compliance “with various rules that may implicate their cybersecurity practices, such as as books and records, compliance, and business continuity regulations. On the subject of data privacy, Gensler said he has sought input from SEC staff on potential updates to the the SP regulations, which outline how investment firms and brokers protect client data.