On Dec. 15, the Securities and Exchange Commission’s (SEC’s) expanded cybersecurity rules came into effect, requiring public companies to disclose incidents within four business days. That means headline-grabbing breaches–such as the one that affected all Okta customer support system users or the 23andMe hack that included the information of nearly 7 million customers–will have even greater consequences than whatever data was compromised. And the SEC rules are only the tip of the iceberg of changes to regulatory compliance.
With little fanfare and largely unnoticed by the press, institutional investors, or anyone else, the federal government is quietly directing a seismic shift in the economy by mandating stringent cybersecurity compliance across all 16 critical infrastructure sectors.
These sectors include well-known and highly relegated markets such as the defense industrial base, financial services, and energy–regulated by the Department of Defense (DoD), SEC, and Department of Energy (DoE), respectively. However, often overlooked are the subsectors beneath those 16 sectors, which essentially combine to comprise nearly every company and component of our economy, making nearly every business in scope for the emerging cybersecurity compliance regulations flowing down across the federal government at an increasingly rapid pace. The commercial facilities sector, for instance, consists of eight subsectors, including real estate, retail, sports leagues, and entertainment venues. There is no place to hide from cybersecurity regulation and mandatory minimum cybersecurity requirements.
A boon for the industry
While some argue government overreach, it’s clear why these regulations are coming fast and furious. Russia poses a tremendous cyber threat–it even breached the DoE–and intelligence officials have warned of potential threats from China.
This heightened cybersecurity revolution began last year with the White House’s executive order and unfolds as a movement that transcends borders. A dozen nations have aligned with the U.S. cybersecurity efforts, reflecting a collective endeavor toward a fortified global digital economy.
We’re heading toward a burgeoning market for cybersecurity compliance, with the ripple effects resonating through legal corridors as fraudulent cybersecurity claims come under the judicial scanner. Proper security controls will no longer be a choice, but a legal and economic imperative, marking a new epoch of digital resilience and a reinforced economic structure.
This is already required for DoD contractors through the Defense Federal Acquisition Regulation Supplement (DFARS), and soon the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. Within a few years, it’s likely government contractors outside of defense efforts will also be required to meet mandatory minimum cybersecurity requirements as a condition of being awarded any federal contract.
The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policies that exist today. Individual departments and agencies are not waiting for that day to come and are furiously issuing their own regulatory requirements.
We’ve already seen the Transportation Security Administration (TSA) issue new requirements for airport and aircraft operators, the Department of Homeland Security (DHS) act to protect controlled unclassified information (CUI), the Environmental Protection Agency (EPA) aim to safeguard the water sector, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Pulling all the levers
The government is pulling every regulatory lever available to quietly define and enforce mandatory cybersecurity minimums on the entire economy in the same way it mandates seatbelts, airbags, and other safety features in automobiles.
This addressable market expansion doesn’t stop at the border: Canada recently adopted CMMC for its defense industrial base, and Japan will also require government contractors to meet U.S. cybersecurity rules.
The pressure to meet mandatory cybersecurity minimums isn’t just about winning federal contracts. The Department of Justice is actively looking for fraud by using the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Cases have begun piling up as whistleblower employees come forward to collect large rewards.
Last October, Pennsylvania State University was sued by a former chief information officer (CIO) for allegedly failing to safeguard CUI and falsifying security compliance reports. The case is ongoing, but there’s already precedent. Last July, Aerojet Rocketdyne agreed to pay $9 million to resolve a similar case. More than $2.2 billion was paid out in settlements and judgments in False Claims Act cases last year–and over $1.7 billion was related to the healthcare industry.
To further cement the government’s resolve to put teeth to these regulations, it has begun suing individual companies and employees for defrauding investors by misleading them about cyber vulnerabilities as it did SolarWinds and its former vice president of security, Tim Brown.
Every sector of the economy is under a transformative directive to fortify its digital defenses. Security posture has evolved from a superlative to a crucial factor that affects the bottom line. This isn’t just a policy change–it's a paradigm shift, making cybersecurity compliance a legal imperative because its implications are more far-reaching than ever before.
Eric Noonan served with the United States Marine Corps, Central Intelligence Agency, and is the CEO of CyberSheath.
More must-read commentary published by Fortune:
- Economic pessimists’ bet on a 2023 recession failed. Why are they doubling down in 2024?
- COVID-19 v. Flu: A ‘much more serious threat,’ new study into long-term risks concludes
- Access to modern stoves could be a game-changer for Africa’s economic development–and help cut the equivalent of the carbon dioxide emitted by the world’s planes and ships
- The U.S.-led digital trade world order is under attack–by the U.S.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.