We examine the common themes in many of the regulatory approaches -- including executive and Board responsibility, measuring security effectiveness, and managing risk in the ecosystem.
Over the last 5-10 years, we’ve seen a major uptick in the number of regulations across all sectors regarding cybersecurity. The following is a brief look at how cybersecurity regulations have been implemented across seven sectors and divisions.
- Financial Cybersecurity Regulations & Compliance
- Retail Cybersecurity Regulations & Compliance
- Healthcare Cybersecurity Regulations & Compliance
- Defense Cybersecurity Regulations & Compliance
- Consumer Data Cybersecurity Regulations & Compliance
- Insurance Cybersecurity Regulations & Compliance
- Energy Cybersecurity Regulations & Compliance
Cybersecurity Compliance: Regulations For 7 Industry Sectors
Financial Cybersecurity Regulations & Compliance
Compliance Should No Longer Be A Checkbox Regulatory Exercise
The financial sector has a number of cybersecurity requirements set by federal and state regulators. The most common set of requirements is found in the Federal Financial Institution Examination Council handbook, or FFIEC-IT. That body is comprised of a number of booklets that contain resources and requirements financial institutions are expected to adhere to. There are also a number of different guidances that financial regulatory bodies put out. An example is the Office of the Comptroller of Currency (OCC), which has put out guidance on third-party risk management. That guidance is issued to all organizations that fall under their oversight.
Retail Cybersecurity Regulations & Compliance
The retail sector isn’t federally regulated, but it does follow regulations from the Payment Card Industry Security Council’s Data Security Standard (or PCI DSS). This group issues security standards that any organization that processes payment cards or holds payment card data is required to follow.
Healthcare Cybersecurity Regulations & Compliance
The best-known standard for cybersecurity compliance healthcare is the Health Insurance Portability and Accountability Act. HIPAA establishes cybersecurity standards for healthcare organizations, insurers, and the third-party service providers medical organizations do business with.
Defense Cybersecurity Regulations & Compliance
As a condition of providing a service to the U.S. Department of Defense (DOD), businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI). DFARS outlines cybersecurity standards a third party must meet and comply with prior to doing business with the DOD in order to protect sensitive defense information.
Consumer Data Cybersecurity Regulations & Compliance
Currently, 47 out of 50 states (and the District of Columbia) have enacted cybersecurity compliance requirements for organizations to notify states about security breaches that compromise customer data. For instance, if your company holds sensitive personal information about customers—like social security numbers, account numbers, or payment card information—and you experience a breach, you’re obligated to notify those affected. The Federal Trade Commission (FTC) can also penalize organizations for failing to adequately protect consumer data.
Insurance Cybersecurity Regulations & Compliance
While regulations for insurance departments and companies vary state by state, many have issued requirements to protect consumer information. Furthermore, we’ve seen increased interest in adding more regulations in this area. In October 2016, the New York State Department of Financial Services (DFS) proposed new regulation around cybersecurity for both financial organizations and insurance companies.
Energy Cybersecurity Regulations & Compliance
The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over a number of electric utility companies and operators. The standards are created by a nonprofit authority known as the North American Electric Reliability Corporation (NERC), and the regulations are known as the Critical Infrastructure Protection (CIP) Standards.
Something for all sectors to keep in mind...
While cybersecurity compliance with regulations is a critical goal, ongoing management of cybersecurity—both your own and your vendors’—shouldn’t be understated. Protecting critical data and information is less about the label of compliance and more about creating and adhering to a cybersecurity program.
If you need some tips on how to create a cybersecurity program for your vendors, download this ebook. It covers the questions you need to ask all of your vendors, risk vectors and configurations to keep in mind, and the impact of continuous risk monitoring software.
This blog post was edited and updated in July 2020.
The Evolution of the CISO
The Evolution of the CISO
Learn how today's security leaders are adapting to new challenges.
Get the Weekly Cybersecurity Newsletter
Subscribe to get security news and industry ratings updates in your inbox.