Cybersecurity Policy – Developments to Watch

The cost of cybercrime is already astronomical, and it’s only growing: market data from Statista estimates that it will surge from $9.22 trillion in 2024 to $13.82 trillion by 2028.

Not only that, but new technologies are introducing new threats. In particular, the potential risks of AI demand attention and regulatory action. Existing threats like ransomware and data theft have also grown more disruptive, as illustrated by the recent Change Healthcare and Ascension attacks, which have both paralyzed healthcare networks.

Governments are paying close attention to these issues and others, especially in an election year that’s expected to see a rise in cyberattacks against local government offices.

In this constantly changing field, organizations must be vigilant to both emerging threats and the rules proposed to combat them. Here are some cybersecurity trends and legislation to be aware of in 2024.

Cybersecurity Policy to Watch

Healthcare Cybersecurity Improvement Act of 2024

Healthcare is one of the most frequently targeted industries so it’s not surprising that FiscalNote usage data reveals that healthcare organizations track bills related to cybersecurity more than any other industry.

Recently, the Change Healthcare cyber breach paralyzed the healthcare industry while exposing the personal data of approximately one third of Americans. In direct response to this incident, Senator Mark Warner (D-VA) introduced the Healthcare Cybersecurity Improvement Act of 2024.

This bill incentivizes healthcare organizations to strengthen their cybersecurity posture with provisions that allow for advance and accelerated Medicare payments to healthcare organizations in the event of a breach, but only if the breached organization had certain cybersecurity protections in place at the time of the attack. It would encourage healthcare organizations to improve their cybersecurity protocols while providing provisions to support continuity of care.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rules

“Among the most pivotal legislative advancements in 2024 is the ongoing CIRCIA rulemaking,” says King.

In April 2024, CISA published a notice of proposed rulemaking related to the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). It requires covered entities to report cybersecurity incidents, and outline reporting timelines: 72 hours after a cybersecurity incident and 24 hours after a ransomware payment.

These rules are slated to go into effect in the fall of 2025, and would cover large organizations and those in sectors deemed “critical infrastructure.” The expected requirements “carry extensive implications for organizations,” due to the increased accountability and demands on compliance teams, according to King.

A Focus on Data Privacy Legislation

Legislation around data privacy is of particular interest to many organizations — in fact, the most-tracked cybersecurity bills relate to data privacy bills, according to FiscalNote usage data.

These include consumer data privacy bills currently under consideration in Michigan and Illinois, as well as a the recently passed Maryland Online Data Privacy Act of 2024. Maryland joins 17 other states that have enacted data privacy laws in recent years.

Meanwhile, a new effort to establish nationwide data privacy standards, The American Privacy Rights Act of 2024, was introduced by Representative Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) on April 7, 2024.

New Cybersecurity Rules in the EU

Technology legislation passed in the European Union can impact the whole world, and several cybersecurity bills are currently moving through EU lawmaking bodies.

Arguably the most well-known is the EU AI Act, which subjects all AI systems to regulations around risk management, transparency, and reporting, and bans AI tools deemed high risk. This law applies to all AI systems used in the EU, regardless of the location of the deployer or provider.

Other EU security legislation to watch include the recently passed Network and Information Security 2 Directive (NIS2), which goes into effect in October 2024, and the Digital Operation Resilience Act (DORA), effective in January 2025. NIS2 creates new cybersecurity risk management obligations, while DORA establishes obligations for operational resilience. Both apply to all entities operating in the EU.

Top Cybersecurity Trends in 2024

The Growth of AI-Driven Risks

Perhaps the most significant cybersecurity development of the past year is the ubiquity of AI.

Alison King, vice president of government affairs at cybersecurity provider Forescout, says that a primary cybersecurity concern should be ensuring “AI tools are used securely and ethically.”

The hype surrounding AI may lead organizations to adopt AI technologies before fully vetting their security, perhaps making the mistake of inputting sensitive information into tools built on public AI platforms or failing to anonymize data used to train a GPT.

“As organizations strive to leverage AI responsibly, they must balance innovation with risk mitigation,” King says. “While defenders stand to benefit from AI's capabilities, malevolent actors can weaponize these same technologies for nefarious purposes.” In particular, experts predict that generative AI could lead to more convincing social engineering attacks.

Failing to vet the security of AI platforms may also render investments in those platforms void in the future, as governments have also been taking note of AI’s risks and potential. Draft legislation related to AI has been proposed both in the U.S. and abroad.

Governmental Attention on AI

In the coming months, “Look to governments to increase focus on AI systems, toeing the line between innovation and security,” advises Eric Skibinski, consultant at FiscalNote. “These governments are excited to leverage the new technology, but are also concerned with the risks associated with it.”

At the federal level, Biden has issued an executive order on AI that encourages, among other things, higher standards for AI security. In response, the Cybersecurity and Infrastructure Security Association (CISA) has published guidelines on securing critical infrastructure against AI-related threats, and the Department of Homeland Security (DHS) has created an AI safety board.

In Congress, Senate Majority Leader Chuck Schumer (D-NY) recently proposed a $32 billion annual spending plan for AI systems, and a Senate AI working group has released a road map for AI-related proposals.

Security by Design Gains Proponents

Historically, organizations and end users have been responsible for their own cybersecurity. According to Skibinski, though, a growing trend in cybersecurity is the concept of “Security by Design,” which encourages developers to build security into new products.

The Biden administration recently voiced its support for this approach, and CISA launched an initiative advocating for it. It also collaborated with agencies across six other countries to write guidance for developers on making software secure by design. If this trend continues, Security by Design could become a more widespread expectation for technology developers and providers in the future.

CISA Offers Support to High-Risk Sectors

Many industries that are particularly vulnerable to ransomware also lack the resources to invest in strong cybersecurity. These include healthcare, water and wastewater, education, and election management.

“These areas don’t always have the resources to deal with sophisticated cyberattacks, but manage and maintain information critical to daily life,” Skibinski says. If they get shut down by ransomware, it could have significant, wide-ranging consequences. This risk was felt late last year when an Iranian-backed group temporarily shut down water utilities using Israeli-made equipment.

CISA has taken steps to warn these industries of the risk and offer support for avoiding ransomware. There is a possibility of more focus on these sectors in the future, Skibinski says.

Stay in the Know on Cybersecurity Policy & Trends

Considering the constant rate at which cybercriminals and state actors launch new, stronger attacks, governments have little choice but to constantly update policies in response. In this environment, government affairs professionals need to keep a close watch on cybersecurity-related legislation and regulations.

That’s why the pros are using FiscalNote to monitor the evolving landscape of cybersecurity policy. FiscalNote’s legislative tracking solutions can keep you up-to-date on cybersecurity policy at all levels of government around the world, helping you keep your organization secure, compliant, and one step ahead.