The Biggest Cybersecurity Policy & Legislation in 2021

High-profile cybersecurity attacks have brought the topic of cybersecurity policy and legislation to the forefront for many organizations. The first half of 2021 alone has been rife with cybersecurity challenges in the United States — from the Colonial Pipeline ransomware attack that created temporary gas shortages and price surges across the East Coast to the breach of U.S. government networks by Russian intelligence-backed hackers.

Cybersecurity has emerged as a clear bipartisan concern in the U.S. The Senate’s new infrastructure bill contains provisions such as a $20 million Cyber Response and Recovery Fund, and increases penalties for cybercriminals. President Biden also issued an Executive Order in May following the Colonial Pipeline and SolarWinds attacks mandating that all federal information systems implement multi-factor authentication, end-to-end data encryption, and accelerate migrations to cloud-based providers within 180 days of the order.

As concern around cybersecurity continues to mount across the country, we see it also reflected in government affairs teams across the board. The number of cybersecurity-related Discovery Alerts in our FiscalNote platform increased by 87 percent compared to the first half of 2020.

We took a deeper dive into our usage data to identify the key topics of concern emerging for our clients, and what legislation is raising the most interest. Read on to get a sense of what’s ahead in the cybersecurity policy landscape in the United States.

Cybersecurity Hot Topics

1. Automobile telematics

Automobile telematics typically refers to vehicle monitoring devices in automobiles that track location, speed, fuel consumption data, and more. While the connected car ecosystem creates a lot of consumer convenience, it also brings about additional risk; hackers gaining control over self-driving vehicles could result in tragic accidents, or sensitive location data could be leaked.

Telematics has also led to experimental new insurance models, called Usage-Based Insurance (UBI), in which automobile insurance companies use data points such as acceleration speeds, braking frequency, weather conditions, and other factors to create more tailored insurance premiums. According to the National Law Review, several groups have attempted to sue automobile manufacturers for cyber vulnerabilities but none have been successful so far.

The United Nations Economic Commission for Europe has created new regulations for automotive cybersecurity and software update management that will be mandatory in the European Union for all new vehicles produced after July 2024 that Japan and Korea have also agreed to implement on separate timelines. These regulations do not apply to the United States but automobile manufacturers and insurance companies should continue to monitor the evolving vehicular cybersecurity space.

2. Consumer privacy and cybersecurity

In addition to concerns around a patchwork of state-level consumer privacy proposals, a bipartisan group of Senators introduced the Federal Cyber Incident Notification Act of 2021 which would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of breach detection. Some organizations could begin to have additional responsibilities around reporting cybersecurity events if legislation like the Federal Cyber Incident Notification Act continues to propagate.

3. Cyber insurance

Cyber insurance is a type of insurance that companies can purchase to recoup costs related to cyber incidents; insurance companies have been offering these plans since the 90s. In recent years, as ransom hacking, in particular, has skyrocketed and many companies simply opt to use their cyber insurance to pay the ransom, insurance companies have struggled to price these plans appropriately. The average ransom demand was $170,000 in 2020 according to the World Economic Forum, with ransomware victims paying $350 million in 2020 alone. As cyberattacks have increased, so have insurance premiums. The Government Accountability Office found that cyber insurance premiums rose by 10-30 percent in the second half of 2020 alone.

4. Voting cybersecurity

Concerns around voting cybersecurity have been heating up since Russia accessed some states’ voting systems and stole hundreds of thousands of voters’ personal information in 2016. Keywords that FiscalNote clients used in voting cybersecurity searches included potential voter data being hacked, ranked-choice voting, and general security.

State election officials face complex issues going into the 2022 midterm elections after claims of voter fraud marred the 2020 Presidential election. States have since enacted various election integrity policies but new cybersecurity regulation for voting at a federal level does not yet exist.

Top 5 Cybersecurity Policy and Legislation

Looking at usage data from FiscalNote, the most tracked bills related to cybersecurity in our platform might not seem relevant at first glance. That speaks to how ubiquitous cybersecurity is becoming across all sectors and how interwoven it is with other pressing topics.

Here are the top 5 cybersecurity legislation you should be monitoring:

1. INVEST in America Act

On the surface, it may be surprising to see an infrastructure bill at the top of a cybersecurity list. The INVEST in America Act contains many cybersecurity provisions making it clear that cybersecurity is now thought of as part of America’s critical infrastructure. The bill includes $600 million in funding to improve cybersecurity in the water, power, and transportation infrastructures, a $1 billion fund for state, local, and tribal governments to improve their security practices, and a provision for funding the new office of the National Cyber Director at a rate of $20 million annually through 2028.

2. American Rescue Plan Act

The American Rescue Plan Act included $1 billion for the Federal Technology Modernization fund (established in the Modernizing Government Technology Act of 2017). The Federal Technology Modernization fund is intended to act as a pool of funds that government agencies can use to apply for technology upgrade loans.

3. North Carolina 2021 Appropriations

The 2021 appropriations bill includes a cybersecurity reporting section that requires the Department of Information Technology to develop a cybersecurity plan on how it will use its funds received for cybersecurity purposes. The Department will be required to submit its final plan to the Joint Legislative Oversight Committee on Information Technology and the Fiscal Research Division on or before October 1, 2021.

4. Texas 2021 Appropriations

With $800 million appropriated just for cybersecurity, the state of Texas may have the most robust cybersecurity planning of the states. The state budget places a special emphasis on the protection of state agencies and replacing legacy systems.

5. For the People Act

The Democrat-led voting bill includes grants for voter system security improvements and imposes requirements on voting vendor companies including cybersecurity reporting and that the vendor companies be owned or controlled by United States citizens or permanent residents.

Interest in Cybersecurity Policy From All Sectors

The number of new discovery alerts for cybersecurity and related topics in our FiscalNote platform saw a modest increase during the summer of 2020 when vulnerabilities around extended remote work became more and more evident. But when the high-profile attacks at the beginning of 2021 hit, the number of new alerts skyrocketed as talks around policy to make notification about data breaches and criminal hacks mandatory started to gain strength. These numbers mean government relations, public affairs, and advocacy professionals like yourself, are looking to stay ahead of any new developments around this issue that could affect the way you conduct business.