How To Deal With the Vagueness in New Cyber Regulations

Recent regulations for privacy, AI, and breaches tend to be overly broad, suggesting that the rulemakers lack tech acumen.

Regulatory bodies at every level of government have handed down stiffer privacy and disclosure requirements this year — and penalties to match — crafted with ambiguous language and squishy guidelines leaving cybersecurity teams hip-deep in liability and no clear path to compliance.
Recently released
Security and Exchange Commission (SEC) guidelines
on cyber incident disclosure are an example of the kind of confusion vague regulatory language can cause. Cybersecurity expert Adam Shostack points out to Dark Reading that he has observed the rules being widely misinterpreted.
I think the requirement for transparency is generally good, and its important to note its within four days of determining its a material breach, not within four days of discovering a breach, Shostack notes. A lot of people are missing that important distinction.
Shostack, along with a panel of experts including Mike Hintze, Daniel P. Cooper, and Leslie R. Katz will offer advice on how to navigate a slew of new cyber regulations at Black Hat USA during their presentation,
Hot Topics in Cyber and Privacy Regulation
.
Some of the
vague language of cyber regulation
is necessary, Shostack points out.
Also, lets be frank. The reason these standards are vague is often [because] industry demands for flexibility, he adds. If were having trouble because the standards are too open-ended, we should bring that to our industry groups and lobbyists.
Katz, an attorney and former tech executive, agrees its up to the cybersecurity community to help educate and shape rulemaking discussions. Without technical guidance, regulatory bodies like the SEC are left with little influence beyond punishment, she adds.
Katz says that lack of cybersecurity expertise is fueling the
SECs consideration of legal action against SolarWinds executives
for the companys 2020 breach.
This seems to be another effort by the SEC to regulate by enforcement. Rather than providing clearer guidelines, they are sending a message via such an action, Katz tells Dark Reading. A warning shot for all that even greater vigilance and rapid responses will be needed.
The panel will provide guidance on topics that span US privacy law, European Union
regulations around AI
, the
EU-US Data Protection framework
, and how security pros can best engage with the compliance and rulemaking process.
Continued regulatory uncertainty requires increasingly close collaboration with legal and compliance experts both during preparation, as well as during an actual cyber incident response, Shostack says. He adds the best place for cyber teams to start is with technical standards from the National Institute of Standards and Technology, the Cybersecurity Framework, or the
Secure Software Development Framework
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How To Deal With the Vagueness in New Cyber Regulations