On May 12, 2021, President Joe Biden issued an Executive Order to implement new policies aimed at strengthening the nation’s cybersecurity. The Executive Order was issued in response to the recent SolarWinds, Microsoft Exchange, and Colonial Pipeline cybersecurity incidents, which were, according to the White House, “a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.”
Although the new policies and standards announced by the Executive Order will apply largely to federal governmental agencies, there are still important implications for companies that do business with the federal government and for the private sector in general. For example, the Executive Order directs the federal government to develop a standard set of operational procedures to be used in responding to cybersecurity vulnerabilities and incidents. Even if this standardized approach will not be mandatory for the private sector generally, as noted in the White House’s Executive Order fact sheet, this playbook would “provide the private sector with a template for its response efforts.” There may be an expectation that private sector entities follow this playbook in any cyber incident responses.
The Executive Order also establishes a Cybersecurity Safety Review Board (CSRB), to be co-chaired by representatives from both the federal government and the private sector. Modeled after the National Transportation Safety Board (NTSB), the CSRB may be convened following significant cyber incidents to review and assess threat activity, vulnerabilities, mitigation, and agency responses, and make concrete recommendations for improving cybersecurity. The powers and authority to be granted to the CSRB remain to be developed, but significantly, company attorneys are prohibited from participating in a company’s response to NTSB investigations, which could have serious implications in the wake of a data breach if the CSRB is similarly structured.
We anticipate that the heightened security standards established by the Executive Order will likely trickle down to the private sector. Companies, even those that do not contract with the federal government, should carefully monitor the implementation of the Executive Order and take advantage of any opportunity to comment on the security standards to be developed by agencies in response to the Executive Order as well as the scope of any implementing regulations.