The sudden rise of remote work has shifted how many businesses and government agencies operate, but this change has brought some unintended consequences in the form of cyber vulnerabilities. As organizations battle the growing barrage of threats and attack attempts against them, many states have begun to propose legislation to help combat cyberattacks.
2021 Cybersecurity Proposed Legislation
At the end of 2021, forty-five states and Puerto Rico had passed or were considering new cybersecurity legislation. Most bills focused on increased requirements for:
- Formal policies, practices, and procedures
- Cybersecurity training
- Cyber incident response
One of the most common legislative introductions is the implementation and adherence to formal cybersecurity policies, practices, and procedures. This would require government agencies to select and implement formal security policies and standards, as well as creating task forces, councils, or commission to study and advise on cybersecurity issues.
Another common thread in newly proposed legislation is the need for cybersecurity training. The government has vowed to support programs and provide incentives for cybersecurity training and education for state, local, and tribal governments.
Cyber incident response is another hot-button topic for legislators. Recent large-scale breaches, like the SolarWinds hack, affected state and local entities, in addition to federal systems. The proposed legislation has been designed to ensure state and local governments have a plan in place to respond to a security incident.
2021 Enacted Cybersecurity Legislation
More than 35 states enacted cybersecurity bills in 2021 with about half of these bills providing for enhanced security measures to protect government resources.
Cybersecurity Safe Harbor was enacted in Connecticut, Ohio and Utah to provide incentives for proactive alignment to a recognized cybersecurity framework.
Georgia, Kansas, Michigan, Vermont and Washington passed bills to exempt certain cybersecurity information from disclosure under public records laws.
Indiana requires reporting of ransomware incidents, and North Carolina became the first state to prohibit government entities from paying ransomware demands. Louisiana and Virginia adopted resolutions providing for cybersecurity studies.
Additionally, at least six states — Hawaii, Iowa, Maine, Minnesota, Tennessee, and Wisconsin — have passed legislation related to insurance data security standards
Wondering what the latest requirements are in your state? The National Conference of State Legislatures provides an online list by State.
Why are state and local governments targeted by attackers?
There are several reasons cyber attackers choose to focus on state and local governments. For one, there are a lot of them. There are more than 90,000 local American government units, including 3,031 county governments, 19,475 municipal governments, and 16,253 town or township governments. All except the smallest of these have critical IT systems which host considerable amounts of sensitive data. Unfortunately, many local government are working under tight budgets and do not have the financial or human resources to proactively prevent against cyberattacks. This has meant that there is significant opportunity for a savvy, determined cybercriminal cause chaos at a state or local level.
State legislation is needed to combat cyber attacks
While cybersecurity threats exist on a national level, in many cases it’s up to states to enact cybersecurity legislation aimed at preventing and stopping attacks. Since the beginning of 2020, there have been at least 93 ransomware attacks affecting 68% of U.S. states. These attacks have not affected all states equally.
The proactive approach to cybersecurity legislation
Leaders at every level of state and local government should be thinking about how to most effectively use their budgets and resources to improve their cybersecurity maturity and posture. Most states do not have a mandatory framework for local governments to conform to, but the NIST-developed Cybersecurity Framework is considered the current gold standard.
If you’re looking to enact the NIST Cybersecurity Framework or another security framework in your organization, contact us to discover how Foresite Integrated Risk Management can help. This automated tool makes it easy to understand the current security landscape of your organization and implement changes that can improve security and reduce risk.