The U.S. Supreme Court has issued a decision that could dramatically change federal cybersecurity regulations, overturning the long-standing Chevron deference, and thus transferring ultimate regulatory approval to the courts and away from regulatory agencies. The ruling is raising major questions about how this will impact the current cybersecurity regulatory landscape. By transferring ultimate regulatory approval to the courts and away from regulatory agencies, this shift is expected to trigger a wave of lawsuits that could undermine the Biden administration's recent cybersecurity initiatives. 

Overview of the Supreme Court decision 

In Loper Bright Enterprises v. Raimondo, the Court ruled in a 6 to 3 vote to overturn the Chevron deference, a legal precedent from a 1984 Supreme Court case that required courts to defer to expert regulatory agencies when interpreting congressional intent. This ruling enables courts, not the regulatory agencies, to have the final say in interpreting congressional laws, potentially impacting a wide range of federal regulations. 

Immediate and long-term implications 

The decision puts into question numerous pending and existing regulations. Front and center will be the recent 2023 Security and Exchange Commission's (SEC) rules, requiring publicly traded companies to file annual updates on their cyber risk mitigation strategies, and report cybersecurity incidents to the SEC within four business days of determining materiality. The new SEC rules are already under fire with multiple groups filing briefs in reaction to the current SEC SolarWinds case, citing that the authority of the regulator has expanded past the original intent of Congress.

In addition, there are several proposals about the protection of critical national infrastructure, which have been central to the Biden administration's cybersecurity efforts, which now may be called into question via court-level challenges. The Coast Guard's proposed updates to maritime security regulations, which include minimum cybersecurity standards for US-flagged vessels, and the FCC's planned requirements addressing Border Gateway Protocol security risks, may need to be reassessed. Additionally, existing rules like the North American Electric Reliability Corporation's Critical Infrastructure Protection (CIP) standards and the Nuclear Regulatory Commission's 2009 cybersecurity regulations for nuclear power plants could face renewed legal challenges. Given the almost unilateral consensus that there needs to be more focus on cybersecurity for these sectors, the impact of the Chevron reversal may have more consequences than anticipated.

Impact on congress and regulatory agencies 

From a political perspective, the Supreme Court's ruling complicates the role of Congress and regulatory agencies. The long-standing frustration has been that Congress often passes laws that try to address cybersecurity and technology with ambiguous language and lengthy timelines. A reliance has developed on agencies to not only interpret and implement them but also to leverage current frameworks to adjust and adapt as necessary, creating a level of autonomy that often causes frustration. This frustration then comes full circle with calls to curb the regulatory autonomy that has resulted.

With courts now taking a more active role in interpretation, a new approach to cyber regulation will most likely emerge. In the meantime, the current limbo may lead to more complexity around compliance and the application of current and future regulatory rulemaking.

Preparing for the future 

Chief Information Security Officers (CISOs) and other stakeholders should prepare for a period of regulatory uncertainty. They may need to navigate varying interpretations and applications of cybersecurity requirements across judicial circuits. The Chevron reversal has the potential to increase the legal challenges to both new and existing regulations, as many federal cybersecurity regulations are based on older laws not originally intended to address modern cyber threats. Without Chevron deference, courts may be more likely to modify or overturn these regulations, leading to potential deregulation and inconsistency in regulatory enforcement, which CISOs and boards will need to try and stay current on.

Conclusion 

The Supreme Court's decision in Loper Bright Enterprises v. Raimondo marks a significant shift in regulatory authority, with far-reaching implications for almost all regulatory areas. Stakeholders must remain alert and flexible as the cybersecurity regulatory landscape adjusts to this new legal framework. 

WWT will continue to monitor these changes and provide updates. For regulatory briefings contact WWT's Advocacy or the Field CISO Team.