Threat Trends | 7 mins
Regulating Cyber Security In A Complex Landscape
The EU's five-year vision for cybersecurity is driving the surge in new regulations organizations must follow. Businesses across various sectors must comply with a plethora of laws and standards to safeguard sensitive data, protect consumer privacy, and ensure overall cyber resilience. Organizations must adhere to both national and international cybersecurity regulations, as well as general and sector-specific laws.
General Cybersecurity Regulations in the US
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a critical compliance standard for organizations handling credit card information. Overseen by the Payment Card Industry Security Standards Council, PCI DSS encompasses 12 rules aimed at protecting cardholder data. These rules mandate establishing firewalls, encrypting cardholder data, and limiting physical access to such information. Notably, the new 4.0 version ( PCI DSS v4.0) went into effect on March 31st this year. Non-compliance can result in significant fines, ranging from $5,000 to $10,000 per month, with penalties increasing over extended non-compliance periods.
Gramm-Leach-Bliley Act of 1999 (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is pivotal in protecting customers' financial information within the financial services sector. The act includes three primary components: the Financial Privacy Rule, which grants customers control over their financial data; the Safeguards Rule, which mandates the protection of sensitive data; and pretexting protection to prevent social engineering attacks. Financial institutions such as banks and insurance agencies must adhere to these regulations to ensure data privacy and security.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX) is a US federal law that enforces audit obligations and financial records management for American public enterprises. Managed by the Securities and Exchange Commission (SEC), SOX emphasizes protecting access to information systems, securing financial data, and standardizing processes for data management changes. Compliance with SOX is crucial for ensuring the integrity of financial records and protecting shareholder interests.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) focuses on safeguarding the data of children under 13. This act establishes strict guidelines for companies collecting children's data, including privacy policy language and parental consent requirements. COPPA ensures that parents can control and monitor how their children's data is used, significantly impacting businesses that cater to young audiences.
Cybersecurity Information Sharing Act
Introduced in 2015, the Cybersecurity Information Sharing Act promotes threat intelligence sharing between government agencies and private corporations. This act aims to enhance cybersecurity across the US by creating robust information-sharing ecosystems, allowing businesses to improve their security posture without substantial investment.
Sector-Specific Cybersecurity Regulations
Cyber Incident Reporting Critical Infrastructure Act (CIRCIA)
The Cyber Incident Reporting Critical Infrastructure Act (CIRCIA) mandates cybersecurity incident reporting for critical infrastructure sectors, including energy, chemical, and critical manufacturing. Businesses must report incidents within a 72-hour window, referencing guidelines from the Homeland Security Act and NIST Special Publication 800-145. Compliance with CIRCIA ensures timely response to cyber threats and enhances the resilience of critical infrastructure.
Health Insurance Portability and Accountability Act (HIPAA)
The healthcare industry faces unique cyber threats, making HIPAA compliance essential. HIPAA focuses on protecting health information through three rules: the Privacy Rule, which prevents identity theft; the Security Rule, which safeguards digital health information; and the Breach Notification Rule, which outlines procedures for data breach responses. Adherence to HIPAA ensures the security of patient data and compliance with federal regulations.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) applies to federal agencies and their supply chains, emphasizing securing information systems to prevent cyber incidents. FISMA-compliant security programs include risk assessments, incident response plans, and training programs to ensure strict adherence to security practices, protecting federal data from cyber threats.
North American Electric Reliability Corp. (NERC) CIP Standards
The NERC CIP standards ensure the reliability and security of America's bulk electric systems (BES). These standards cover various aspects of cybersecurity, including cyber system categorization, personnel training, physical security, and supply chain risk management. Compliance with NERC CIP standards is crucial for protecting critical infrastructure from cyber threats.
US State Cybersecurity Regulations
New York SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act mandates cybersecurity practices for organizations holding New York residents' data. The act requires data breach notifications and redefines data breaches to include unauthorized access to sensitive data. Compliance with the SHIELD Act is essential for protecting New York residents' personal information.
California Consumer Privacy Act (CCPA)
The CCPA applies to organizations with an annual income of over $25 million that serve California residents. This act allows residents to inquire about their data and mandates strict data protection practices. Compliance with CCPA ensures that businesses manage and protect consumer data effectively.
Colorado Privacy Act
The Colorado Privacy Act empowers residents by granting them control over their personal data. Applicable to businesses holding data of over 100,000 Colorado residents, the act mandates cybersecurity best practices, customer consent processes, and transparency in data management.
International Cybersecurity Regulations
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a comprehensive data protection law applicable to EU-based organizations and those handling EU residents' data. GDPR covers various types of personal information, including names, addresses, and biometric data. Compliance with GDPR is crucial for businesses operating in or with the EU, ensuring robust data protection practices.
Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA), effective from January 16th, 2023, aims to standardize ICT risk management across the EU's financial sector, ensuring operational stability and resilience in the face of cyber threats.
NIS2 Directive
The EU’s NIS2 Directive, issued on January 16th, 2023, expands beyond its predecessor to cover sectors like food and manufacturing, mandating enhanced cybersecurity measures and incident reporting to bolster Europe-wide digital infrastructure security.
Canada’s PIPED Act
Canada’s Personal Information Protection and Electronic Documents (PIPED) Act governs how organizations manage personal data during business transactions. The act includes principles such as accountability, consent, and safeguards, ensuring the protection of personal information in Canada.
India’s Digital Personal Data Protection Act
India’s Digital Personal Data Protection Act regulates data management for organizations conducting commercial activities in India. The act emphasizes customer visibility and agency over personal data, with stringent penalties for data breaches based on factors such as breach scale and financial impact.
Emerging Regulations and Standards
UK Product Security and Telecommunications Infrastructure (PSTI) Regulation 2023
Effective April 2024, the UK PSTI Regulation mandates compliance statements from manufacturers and importers before product market entry, enhancing product security.
US Cyber Trust Mark
This voluntary labeling scheme by NIST focuses on criteria such as passwords, data protection, and incident detection, allowing consumers to recognize compliant products easily.
Singapore’s Cybersecurity Labelling Scheme (CLS)
Singapore's CLS offers four assurance levels for consumer products, with mandatory compliance for routers, ensuring robust cybersecurity practices.
EU Cyber Resilience Act (CRA)
Expected to take effect in 2024, the CRA introduces common cybersecurity rules for products with digital elements, holding manufacturers accountable throughout the product lifecycle.
EU Radio Equipment Directive (RED) Article 3.3
Slated for 2025, this directive covers cybersecurity for internet-capable devices, emphasizing personal data protection and fraud prevention.
Critical Entities Resilience Directive (CER Directive)
The CER Directive mandates resilience measures for critical entities in the EU, including risk evaluations and incident notifications, ensuring robust protection against diverse threats.
California AI Safety Legislation
The proposed California AI safety legislation introduces stringent safety frameworks, including a “kill switch” for AI models, highlighting the importance of responsible AI development.
The key to protecting sensitive data, complying with legal requirements, and strengthening cyber resilience is navigating the complex landscape of cybersecurity regulations. By adhering to these regulations, organizations can mitigate cyber threats and safeguard their operations in an increasingly digital world.