+1 206 446 0600 umv@merysolsecurity.com

Expected New Cybersecurity Rules for US Small Business

As you are probably well aware, Cybersecurity crime against the US – both Government and Private industry, has increased at alarming rates in 2021 and 2022.

As a result, the Federal Goverment has been adjusting accordingly and becoming ready to fight back as well as to get the Private Sector ready to become resilient to cybercrime. Especially now with the wave of Phishing and Ransomware attacks.  Our Blogs titled: “The US Preparing for Cyberwar – Part 1 and PArt 2″, have a detailed account of what the Government has been doing to prepare itself for cyber conflict for the last few years.  We certainly encourage you to read it and give us your comments. But, it is good news to know the US is sharpening its tools to protect itself and all of  us.

This page will focus on what new rules the Feds might impose on most of US Small Businesses not currently regulated to complement the country’s preparation, and how to be ready for that.

The Cybersecurity company (www.blackfog.com) produces a monthly ransomware report in which it lists the different ransomware attacks happening worldwide. These reports go back to 2020 and show how the incidents are increasing year over year. 

The report also shows the distribution of the attacks by country. As you can see, the US  has been the victim of 52% of such attacks.

Reading these reports can be depressing. Incident after incident detailing how businesses, from very large like Coca Cola, Toyota, Samsung, and Microsoft to relatively small ones like Expeditor a Seattle-based logistics and freight forwarding company have fallen victims to this scourge.  Governments as well, from the Costa Rican Social Security Fund, to the Ministy of Justice in France, to plenty of small US cities and counties all throughout the country  have had to consider paying ransom to return to normal operations. School districts, Hospitals, Aiports, Universities, even Sports concerns like the San Francisco 49ers have also been victims of Ransomware attacks. The reports are there for you to see.


As it is clear, the damage inflicted is very serious.  The brashness and aggresiveness of the cyber criminals is increasing as they feel they can do their deeds with impunity. And, so far, this has been true. But,  is there anything the world can do about it?  

The answer is certainly Yes!  There are many things that can and are being done today. Many of these are detailed on our Blog “The US Preparing for Cyberwar”. Initiatives to strengthening the US Critical Infrastructure, increasing the cyber resiliency of companies doing business with the Federal Government, and others will make the country better prepared.  

 But one of the most important parts of the effort is to raise awareness of the problem in the overall small business community and the regular citizenry. The US Government is trying to do this but unfortunately negative attitudes towards it have not helped those efforts.   Since the start of the Russian invasion of Ukraine in March 2022, the US Government has warned of an elevated risk of cyber attack. However, a recent survey of over 2,000 US small business owners by CNBC to understand their outlook on the overall business environment, showed than only 5% of them considered cybersecurity to be a top risk to their business.

As the CNBC report found, almost four in 10 of those small business owners said they are very or somewhat concerned their business will be the victim of a cyber attack within the next 12 months. But just 33% of owners with 0-4 employees are concerned about experiencing a cyber attack within a year, compared with 61% of small business owners who have 50 or more employees.  About six in 10 small business owners were very or somewhat confident that they could quickly resolve a cyber attack on their business if needed.

This seeming state-of-denial among US small business owners seems to diverge from the sentiment among the general public. In SurveyMonkey’s own polling, three quarters of Americans say they expect businesses in the U.S. to experience a major cyber attack within the next 12 months. This is very important as in the same survey, it was found that 55% of people in the U.S would be less likely to continue to do business with brands who are cyber attack victims.

The obvious question is why are small businesses in the US not concerned enough to take more proactive preventative action?  It seems like many of these business owners believe cyber-crime wouldn’t happen to them, and if it did, they could just figure out how to beat it or pay the ransom, keep quiet about it and move forward. 

Well, this is about to change.  Congress and the Administration’s Federal Trace Commission (FTC) have started hearings towards a new law dubbed “the American Data Privacy and Protection Act (ADDPA)“. The whole idea is to establish a law to guarantee a right to data privacy and the establishment of a safe environment for the citizens’ data.

Clearly, data privacy cannot exist without a robust cybersecurity foundation ensuring hackers don’t come and steal critical customer information. Therefore the new bill would be the first comprehensive federal bill to require data security and the protection of covered data for most entities (businesses), including data security policies and reasonable administrative, technical, and physical practices and procedures. The FTC would be responsible for providing compliance guidance, which must consider the entity size, sensitivity of data and the cost of tools because not all entities are the same. The bill would also establish corporate accountability for lost or stolen data with specific obligations for large data holders.  

AADPA would require, for example, that businesses notify their customers if their data was  transferred, processed or made available to US adversaries like North Korea, China or Russia who gather such data and weaponize it against the customers.

Like everything the US Congress does, this will take time to be put in place and will have many revisions and amendments, however, what is clear, is that there is strong urgency on creating such a directive.  So what should small business do now to prepare for these new rules?

There are some practical and concrete steps. Many of them outlined in the CISA’s Small Business Tip Card.  These tips show you seven (7) steps your business can take to improve your cyber resiliency, offer you available resources, and direction on what to do if you have been compromised.  In addition, take a look at our Cyber Quizzes.  They are a fun way to review your overall konwledge.

Merysol Security strives to increase Cybersecurity awareness for small businesses. If we can be of assistance helping your business increase its cybersecurity posture, please contact us. We are ready to start the conversation.