Three important federal cyber regulations to monitor during Trump’s presidency

Key federal cybersecurity regulations remain a focus under the Trump administration, with Republican lawmakers emphasizing the need to review and potentially harmonize key regulations in the cybersecurity space. There are three specific rules that are drawing attention: the incident reporting requirements proposed by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS) cybersecurity updates to the Health Insurance Portability and Accountability Act (HIPAA), and the Securities and Exchange Commission’s (SEC) 2023 cybersecurity risk management requirements.

CISA initiated a notice of proposed rulemaking for the Cyber Incident Reporting Act for Critical Infrastructure (CIRCIA) in April, aimed at establishing incident reporting standards across critical infrastructure sectors. In January, HHS introduced updates to HIPAA to enhance cybersecurity measures for safeguarding sensitive healthcare data against ransomware threats.

The transition from the Biden to Trump administration prompted a shift in the approach to setting cybersecurity standards, particularly concerning CISA’s and HHS’s rules. Republican leaders on House committees recently urged the Office of Management and Budget to prioritize the review of current and prospective federal cyber regulations to identify redundancies and streamline compliance efforts. They highlighted concerns about compliance costs associated with HHS’s rule and how CISA’s CIRCIA rule could increase costs and expand oversight beyond lawmakers’ intentions.

Efforts are underway to streamline cyber regulations to bolster the nation’s cybersecurity posture by eliminating duplicative and conflicting standards that may hinder effective security measures. GOP lawmakers have also criticized the SEC’s cybersecurity disclosure requirements adopted in 2023, citing ambiguities and reporting challenges that could compromise cybersecurity efforts within critical infrastructure sectors.

The recent confirmation of Paul Atkins, chosen by President Trump to lead the SEC, added intrigue to the cybersecurity regulatory landscape. While Atkins has not publicly expressed his stance on the SEC’s cyber rule, industry observers anticipate a more measured approach to enforcement under his leadership. John Reed Stark, a former SEC official critical of the cyber rule, believes that Atkins may refocus enforcement efforts on cybersecurity disclosure fraud rather than penalizing firms for unintentional compliance errors.

The overarching goal for lawmakers and policymakers is to align federal cyber regulations to mitigate redundancies, enhance cybersecurity capabilities, and prioritize security over regulatory compliance. By reviewing and potentially revising existing regulations, the government aims to create a more cohesive and effective cybersecurity framework that addresses current and emerging threats to critical infrastructure and national security.