Executive Order 14390 Signals Shift in Federal Focus to Combating Cybercrime Against Citizens

Executive Summary

On March 6, 2026, the U.S. government signed Executive Order 14390, titled "Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens." This order signals a major evolution in national cybersecurity strategy, expanding the federal government's mission beyond the traditional scope of protecting its own networks and critical infrastructure. EO 14390 reframes cybercrime as a direct economic and societal threat to the American public and private businesses. For enterprise CISOs, this order creates new incentives for security investment but also foreshadows increased regulatory scrutiny, reporting requirements, and potential liability for cybersecurity failures.

Regulatory Details

Executive Order 14390 represents a policy response to the escalating wave of financially motivated cyberattacks, including ransomware and AI-driven fraud, that directly harm citizens and businesses. Unlike previous directives such as EO 14028, which focused on federal network modernization and software supply chain security, EO 14390 is centered on the operational disruption of cybercriminal activities.

Key implications for businesses include:

• Increased Scrutiny: The order signals that the federal government will take a more active role in assessing the cybersecurity maturity of private enterprises, especially when their vulnerabilities contribute to widespread harm.
• Reporting Requirements: It reinforces the trend towards more comprehensive and rapid incident reporting, aligning with regulations like the SEC's disclosure rules and CISA's CIRCIA.
• Potential Liability: The order's proposal for a victim restoration program suggests a stronger policy linkage between a company's security posture and its accountability for cyber-related harm to customers or the public.

Affected Organizations

This executive order affects virtually all U.S. businesses, as it broadens the definition of national cyber interest to include the economic well-being of citizens. While all industries are in scope, those that handle large amounts of consumer data or are frequent targets of ransomware—such as healthcare, finance, and retail—will likely face the most immediate impact and scrutiny.

Compliance Requirements

While the EO itself is a directive for federal agencies, it sets the stage for future regulations and enforcement actions that will flow down to the private sector. CISOs and compliance officers should anticipate:

1. Stricter Standards of Care: The government will likely push for higher baseline cybersecurity standards across the board. Adherence to frameworks like the NIST Cybersecurity Framework (CSF) will become even more critical as a measure of due diligence.
2. Enhanced Public-Private Partnerships: The order will likely spur new programs for information sharing and joint operations between law enforcement (e.g., FBI, Secret Service) and the private sector to disrupt cybercrime infrastructure.
3. Workforce Development Initiatives: To address the skills shortage, the order promotes expanded federal investment in cybersecurity education and training programs, which could provide a new source of talent for businesses.

Impact Assessment

For businesses, EO 14390 is a double-edged sword. On one hand, the heightened federal focus on cyber resilience provides a powerful argument for CISOs seeking to secure larger budgets and executive buy-in for security initiatives. It frames cybersecurity not just as a cost center, but as a critical component of corporate responsibility and a prerequisite for doing business. On the other hand, it raises the stakes for failure. Organizations with poor security maturity may face increased regulatory enforcement, greater liability in the event of a breach, and more significant reputational damage as the government and public place a stronger emphasis on corporate accountability for cybercrime.

Compliance Guidance

Enterprises should take the following proactive steps in response to EO 14390:

1. Conduct a Maturity Assessment: Perform a thorough assessment of your organization's cybersecurity posture against a recognized framework like the NIST CSF. Identify and prioritize gaps, particularly in areas like incident response, vulnerability management, and third-party risk.
2. Review Incident Response Plans: Update your incident response plan to align with emerging rapid reporting requirements. Ensure you have clear protocols for notifying law enforcement and regulatory bodies.
3. Invest in Resilience: Shift focus from prevention alone to overall cyber resilience. This includes robust backup and recovery strategies, business continuity planning, and the ability to operate through and recover quickly from an attack.
4. Engage with Information Sharing and Analysis Centers (ISACs): Actively participate in your industry's ISAC to share and receive timely threat intelligence, which is crucial for disrupting the campaigns targeted by this EO.