We examine the common themes in many of the regulatory approaches -- including executive and Board responsibility, measuring security effectiveness, and managing risk in the ecosystem.
If you operate in specific sectors, cybersecurity maturity is more than a best practice, it’s a regulatory requirement. These regulations are complex and constantly changing. To help you better understand your organization's regulatory environment and the standards and controls they stipulate, let's break down key cyber compliance regulations by industry.
What is cybersecurity compliance in your sector?
The Health Insurance Portability and Accountability Act (HIPAA) is perhaps the most well-known cybersecurity regulation because it impacts all of us. HIPAA requires healthcare organizations, insurers, and third-party service providers to implement controls for securing and protecting patient data and conduct risk assessments to identify and mitigate emerging risks. Although HIPAA has been in place since 1996, the sector still struggles with compliance, as BitSight research suggests.
2. Financial services
As a lucrative target for bad actors, the financial services cybersecurity compliance landscape is abundant with regulation.
The most common set of regulations are found in the Federal Financial Institution Examination Council handbook (FFIEC IT). The handbook was recently updated to include a new emphasis on continuous monitoring and business continuity management both internally and across the supply chain.
Another regulation is the Service Organization Control (SOC) Type 2 (SOC2). Developed by the American Institute of Certified Public Accountants (AICPA), SOC2 is a stringent trust-based cybersecurity framework that helps firms verify that third parties are securely managing client data.
In addition to protecting digital infrastructure, financial services companies must also comply with the Gramm-Leach-Bliley Act and notify customers of how their information is shared and when it may have been exposed.
As if all that weren’t enough, financial regulatory bodies also issue multiple guiding frameworks. For instance, the Office of the Comptroller of Currency (OCC) has published procedures for managing third-party risk.
In the wake of the massive 2015 breach of the Office of Personnel Management (OPM) and the more recent SolarWinds supply chain attack, it’s no surprise that the government is doubling down on regulations that address today’s persistent and evolving threats.
Let’s talk about what’s changing.
In May 2021, the Biden administration issued an Executive Order (EO) to protect federal infrastructure. Among other things, the EO requires federal agencies to adopt new standards and tools to ensure the security of their software supply chains, including criteria to monitor and evaluate the security practices of third-party developers. Federal contractors are also required to notify customers if a cyber-attack may have impacted their data.
Biden’s EO builds on a broad range of government cybersecurity regulations. The most comprehensive framework established to date is the Federal Information Security Management Act (FISMA). Aligned closely with FIPS and NIST 800 guidelines, the act sets standards for first- and third-party compliance. If you operate in the government sector, check out what FISMA means for you and how you can monitor FISMA compliance.
In the defense sector, businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI). They must also comply with the new Cybersecurity Maturity Model Certification (CMMC), which requires defense contractors to undergo assessments of their security postures. Find out if your business is ready for the CMMC.
4. Energy sector
The Colonial Pipeline breach is the most recent in a long line of cyberattacks against the U.S. energy sector, but it won’t be the last. BitSight research finds that 62% of oil and energy companies are at heightened risk of ransomware attacks due to their weak cybersecurity performance. And nearly 100 of these organizations are 4.5 times more likely to experience such an attack.
It’s critical that these companies immediately assess their security programs to discover any gaps, particularly around configuration management, patching, vulnerability management, and endpoint security. They must also ensure that they comply with the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) cybersecurity standards. Read about effective strategies for achieving NERC-CIP compliance.
5. Consumer businesses
Businesses that have direct contact with consumers, such as restaurants, retailers, and consumer product companies, are increasingly using digital technologies and data initiatives to improve the customer experience. While customer data is necessary for these interactions, legislation requires that businesses protect and ensure consumer data privacy.
For instance, the General Data Protection Regulation (GDPR) instituted new requirements for how businesses – including U.S. businesses – collect and store the private data of European Union citizens. Fines for non-compliance are high; up to €20,000,000 or 4% of global revenue, and the EU is not shy about enforcing them.
In 2018, the California Consumer Privacy Act (CCPA) enacted similar legislation. Other states are following suit. In May 2021, the Commonwealth of Virginia passed a Consumer Data Protection Act, which adds data protection assessment requirements.
Consumer businesses who handle credit card payments must also follow regulations from the Payment Card Industry Security Council’s Data Security Standard (PCI DSS) which stipulates standards for securing cardholder data.
Use cyber frameworks as a compliance guide
While cybersecurity compliance is an essential goal if your organization operates in these sectors, you can also mature your cybersecurity program by modeling it after common cybersecurity frameworks like NIST, ISO 27000, and CIS 20.
How to know when you've achieved cyber maturity
Use BitSight Security Ratings to assess and score your cybersecurity performance and continuously monitor your third parties to ensure they don’t pose a hidden risk to your network. With frameworks as your guidepost and the insight that BitSight brings, you can better understand what regulators are looking for and continue to mature your cybersecurity performance.