What is the most common pain point facing businesses these days? Is it supply chain fragility? Fierce competition? Tight cashflows? Or is it the rising and relentless tide of cyberattacks?
Evidence and analysts suggest it’s often the latter. As cyberthreats show no signs of slowing down, both small and large organizations increasingly recognize that cybersecurity is no longer optional.
What’s more, governments and regulatory agencies have also caught onto its importance, especially when it concerns organizations that operate in sectors that are critical to a nation’s national infrastructure. The result? An expanding set of compliance requirements that feel daunting but are essential for a country’s smooth operations and public security.
Compliance at a glance
Mandatory compliance encompasses regulations enforced by state-level or state-adjacent agencies and targeting companies operating in critical infrastructure sectors, such as healthcare, transport, and energy.
For example, a company processing patient data in California would need to follow the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), since the former is a U.S. federal act meant to protect sensitive patient data, while the latter is a state regulation meant to protect the data privacy of the residents of California.
However, every company needs to recognize that compliance isn’t a one-and-done effort. Organizations need to stay on top of, and ensure continuous adherence to, regulatory requirements as they evolve.
Cybersecurity compliance – not only for security vendors
A company that doesn’t conform to compulsory compliance can face hefty fines. Incidents such as data breaches or ransomware attacks can result in extensive costs, but evidence of a failure to comply with mandated security measures can ultimately cause the final bill to go “through the roof”.
The required cybersecurity and data protection-related regulations for an organization can depend on a multitude of factors. For example, the CCPA is based on “California residents”, and applies to any business processing Californians’ data. On the other hand, the General Data Protection Regulation (GDPR) has a geographic scope, only applying to citizens within the EU.
Furthermore, depending on what customers, clients, or partners a business wants to attract, it is wise to apply for a specific certificate to qualify for a contract. For example, if a company wants to work with the US federal government, it needs to apply for the FedRAMP certificate, demonstrating its competence in protecting federal data.
At any rate, compliance needs to be built into the foundations of any business strategy. As regulatory requirements keep rising in the future, well-prepared companies will have an easier time adapting to the changes, With compliance being measured continuously, this can save organizations significant resources and enable their growth in the long run.
Key cybersecurity acts and frameworks
Let’s now have a quick rundown on some of the most important cybersecurity regulatory acts and frameworks:
- Health Insurance Portability and Accountability Act (HIPAA)
This regulatory act covers the handling of patient information in hospitals and other healthcare facilities. It represents a set of standards that are designed to protect confidential patient health data from being misused, requiring administrative entities to enact various safeguards to protect said data, both physically and electronically.
- U.S Securities and Exchange Commission (SEC) cybersecurity rules
The SEC’s rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies emphasizes timely cyber incident reporting involving material incidents, as well as annual audits on their cyber posture. Reporting of material incidents should happen in four business days, with penalties stemming from late, lacking, or other reporting failures.
- National Institute of Standards and Technology (NIST) frameworks
A US government agency under the Department of Commerce, NIST develops standards and guidelines for various sectors, including cybersecurity. By mandating a certain set of policies that serve as the foundation of organizational security, it enables businesses and industries to better manage their cybersecurity. For example, the NIST Cybersecurity Framework 2.0 contains comprehensive guidance for organizations of all sizes and current security posture on how they can manage and reduce their cybersecurity risks.
- Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is another information security standard designed to control credit card data handling. Its goal is to reduce payment fraud risks by tightening the security surrounding cardholder data. It applies to all entities that handle card data, be it a store, a bank, or a service provider.
- Network and Information Security Directive (NIS2)
This directive strengthens the cyber-resilience of critical entities in the European Union by imposing stricter security requirements and risk management practices on entities operating in sectors such as energy, transport, health, digital services and managed security services. NIS2 also introduces new incident reporting rules and fines for non-compliance.
- General Data Protection Regulation (GDPR)
The GDPR is one of the strictest data privacy and security regulations globally. It focuses on the privacy and data privacy rights of people in the European Union, giving them control over their data and mandating secure storage and breach reporting for companies that manage the data.
There are both industry-specific and broad regulatory frameworks, and each comes with unique requirements. Complying with one doesn’t guarantee that you’re not in breach of another set of rules; therefore, pay attention to which regulations apply to your business and its operations.
Costly non-compliance
What about non-compliance? As mentioned previously, certain regulations institute hefty penalties.
For example, GDPR violations may result in fines of up to 10 million euros, or 2% of global annual turnover, for any company that fails to notify either a supervisory authority or the data subjects of a breach. Supervisory authorities can also slap additional fines for inadequate security measures, leading to further costs.
In the US, non-compliance with FISMA, for example, can mean reduced federal funding, government hearings, censure, lost future contracts, and more. Similarly, HIPAA violations could also have some dire consequences, be they US$1.5 million worth of fines annually and even jail time of 10 years. Clearly, there is more at stake than financial well-being.
All in all, it is better to be safe than sorry, and it’s also prudent to keep up with cybersecurity regulations specific to your industry. Rather than viewing it as an additional avoidable expense, your business should see compliance as an essential and regular investment, doubly so in the case of compulsory standards, which, if neglected, could quickly turn your business, if not life, upside down.
To learn more about how your organization can be compliant with specific regulations, head over to ESET's Cybersecurity Compliance for Business page.