The cybersecurity regulation landscape is becoming even more chaotic.
In late June 2024, the Supreme Court overturned the Chevron deference, a doctrine established 40 years ago giving regulatory agencies leeway in interpreting ambiguous laws. The full implications since this landmark decision are still unfolding, the long-term effects on the regulatory landscape remain somewhat unclear, and cybersecurity leaders are unsure of how best to act to protect their organizations.
The Chevron precedent follows a two-step process: If the intent of a law is clear, the agency must follow the law. But if the statutory language is open to two or more interpretations, a court defers to the interpretation of the agency, whose experts are presumably more qualified than judges to interpret the law’s intent.
The impact of the ruling extends far beyond cyber issues (from healthcare and education to financial services and telecommunications), but it has a particular significance in the cybersecurity world, where organizations already struggle to comply with a wide array of increasingly stringent regulations.
By overturning Chevron, SCOTUS is taking the final word on interpreting cybersecurity statutes away from single agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) or the Security and Exchange Commission (SEC) on investment markets and potentially putting those decisions in the hands of the courts.
Instead of being able to rely on a single agency’s interpretation of a law as the standard, you’ll have that agency’s interpretation and possibly several differing federal court opinions on the standards. In the same way that people in the tech world are frustrated about how few members of Congress signing off on cybersecurity laws actually know the technology, they now have to worry about federal judges with little or no technology background interpreting the intent of those laws.
Chevron’s Impact Will Take Years to Assess
The initial reaction to the court’s ruling included fears that recently implemented, high-profile rules on cyber incident reporting such as those from the SEC or CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rules would be struck down. That was always an overreaction.
It is possible that’s the eventual outcome. But that would take years to develop, given how slowly legal wheels grind—the recent Chevron case, filed in February 2020, took four-and-a-half years to eventually get a ruling from the Supreme Court.
Some agencies’ regulations have the potential for more drastic changes than others. The new SEC regulations may be more at risk, for example, because they are based on the SEC’s interpretation of the Sarbanes-Oxley Act of 2002, which addresses financial records but doesn’t specifically touch on cybersecurity. Similarly, the Federal Trade Commission bases a lot of its enforcement activities on the FTC Act’s Section 5 addressing unfair or deceptive commercial practices.
CIRCIA, on the other hand, is explicitly about cybersecurity standards, including requirements for reporting cybersecurity incidents and ransomware payments. Any litigation challenging those rules will likely focus on interpretations of specific details but won’t take away from the new reporting requirements overall.
Compliance Could Become Even More Complex
In the coming years, litigation stemming from the Chevron ruling may roll back some cybersecurity requirements from the SEC and other agencies, but those agencies aren’t going away, nor are their regulations on cybersecurity, privacy protections and incident reporting. They will continue to regulate their respective industries, and it’s highly unlikely that the proliferation of diverse cybersecurity standards will slow down.
The regulatory landscape will, however, become more complex and subject to even more continuous change than we’ve already seen, with court interpretations of cybersecurity laws added to the mix.
By any measure, cybersecurity incidents over the past few years have been occurring at an insane pace—it can depend on an organization’s criteria, but by one account there were more than eight breaches per day around the world in 2023, while another count put the numbers at 83 incidents and 29 breaches per day. Regulators will continue to push for greater transparency, while challenges based on the Chevron decision will make cybersecurity and incident reporting a murkier area.
Your Best Bet: A Proactive Response Now
Organizations shouldn’t wait to see what comes down the legal pipeline. They must drastically change their approach, adopting proactive strategies for readiness and consistent response to incidents. They should anticipate change and be prepared to respond effectively to both cyber incidents and legal reporting requirements.
By leveraging a combination of technology automation, regulatory intelligence and expert guidance, organizations can proactively prepare for the breadth and sophistication of cyber threats as well as a steady stream of changes to the more than 200 cybersecurity, privacy and data breach regulations that exist globally.
Companies can use technology to create comprehensive automated playbooks that address a wide range of incidents. They can also apply tools to enhance preparation through regular training, simulations and exercises, ensuring that all stakeholders—including security, legal, IT, compliance, communications and decision-makers—are aligned and ready to handle incidents effectively.
Automation is a big piece of that preparedness because it also enhances team collaboration, better protects legal privilege and accelerates response times. A proactive approach not only helps organizations meet necessary reporting requirements, but it fortifies an organization’s cyber resilience, reducing the overall impact and cost of incidents.