Over the last 5-10 years, we’ve seen a major uptick in the number of regulations across all sectors regarding cybersecurity. The following is a brief look at how cybersecurity regulations have been implemented across seven sectors and divisions.
The financial sector has a number of cybersecurity requirements set by federal and state regulators. The most common set of requirements is found in the Federal Financial Institution Examination Council handbook, or FFIEC-IT. That body is comprised of a number of booklets that contain resources and requirements financial institutions are expected to adhere to. There are also a number of different guidances that financial regulatory bodies put out. An example is the Office of the Comptroller of Currency (OCC), which has put out guidance on third-party risk management. That guidance is issued to all organizations that fall under their oversight.
The retail sector isn’t federally regulated, but it does follow regulations from the Payment Card Industry Security Council’s Data Security Standard (or PCI DSS). This group issues security standards that any organization that processes payment cards or holds payment card data is required to follow.
The best-known standard for cybersecurity compliance healthcare is the Health Insurance Portability and Accountability Act. HIPAA establishes cybersecurity standards for healthcare organizations, insurers, and the third-party service providers medical organizations do business with.
As a condition of providing a service to the U.S. Department of Defense (DOD), businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI). DFARS outlines cybersecurity standards a third party must meet and comply with prior to doing business with the DOD in order to protect sensitive defense information.
Currently, 47 out of 50 states (and the District of Columbia) have enacted cybersecurity compliance requirements for organizations to notify states about security breaches that compromise customer data. For instance, if your company holds sensitive personal information about customers—like social security numbers, account numbers, or payment card information—and you experience a breach, you’re obligated to notify those affected. The Federal Trade Commission (FTC) can also penalize organizations for failing to adequately protect consumer data.
While regulations for insurance departments and companies vary state by state, many have issued requirements to protect consumer information. Furthermore, we’ve seen increased interest in adding more regulations in this area. In October 2016, the New York State Department of Financial Services (DFS) proposed new regulation around cybersecurity for both financial organizations and insurance companies.
The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over a number of electric utility companies and operators. The standards are created by a nonprofit authority known as the North American Electric Reliability Corporation (NERC), and the regulations are known as the Critical Infrastructure Protection (CIP) Standards.
While cybersecurity compliance with regulations is a critical goal, ongoing management of cybersecurity—both your own and your vendors’—shouldn’t be understated. Protecting critical data and information is less about the label of compliance and more about creating and adhering to a cybersecurity program.
If you need some tips on how to create a cybersecurity program for your vendors, download this ebook. It covers the questions you need to ask all of your vendors, risk vectors and configurations to keep in mind, and the impact of continuous risk monitoring software.
