What Is Cybersecurity Compliance? (6 Industry Approaches)

What Is Cybersecurity Compliance? An Industry Guide

If you operate in specific sectors, cybersecurity maturity is more than a best practice, it’s a regulatory requirement. These regulations are complex and constantly changing.

To help you better understand your organization's regulatory environment and the cybersecurity standards and controls they stipulate, let's break down key cyber compliance regulations by industry.

1. Healthcare Cybersecurity Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is perhaps the most well-known healthcare cybersecurity compliance regulation because it impacts all of us.

HIPAA requires healthcare organizations, insurers, and third-party service providers to implement controls for securing and protecting patient data and conduct risk assessments to identify and mitigate emerging risks.

Although HIPAA has been in place since 1996, the sector still struggles with compliance, as Bitsight research suggests.

2. Financial Services

As a lucrative target for bad actors, the financial services cybersecurity compliance landscape is abundant with regulation.

The most common set of regulations are found in the Federal Financial Institution Examination Council handbook (FFIEC IT).

As recently as 2020, there has been a renewed emphasis on continuous monitoring and business continuity management both internally and across the supply chain.

Another regulation is the Service Organization Control (SOC) Type 2 (SOC2). Developed by the American Institute of Certified Public Accountants (AICPA), SOC2 is a stringent trust-based cybersecurity framework that helps firms verify that third parties are securely managing client data.

In addition to protecting digital infrastructure, financial services companies must also comply with the Gramm-Leach-Bliley Act and notify customers of how their information is shared and when it may have been exposed.

As if all that weren’t enough, financial regulatory bodies also issue multiple guiding frameworks. For instance, the Office of the Comptroller of Currency (OCC) has published procedures for managing third-party risk.

3. US Federal & Government Contract Cybersecurity Compliance

In the wake of the massive 2015 breach of the Office of Personnel Management (OPM) and the more recent SolarWinds supply chain attack, it’s no surprise that the government is doubling down on regulations that address today’s persistent and evolving threats.

Let’s talk about what’s changing.

In May 2021, the Biden administration issued an Executive Order (EO) to protect federal infrastructure.

Among other things, the EO requires federal agencies to adopt new standards and tools to ensure the security of their software supply chains, including criteria to monitor and evaluate the security practices of third-party developers.

Government contractors are also required to notify customers if a cyber-attack may have impacted their data. 

Biden’s EO builds on a broad range of government cybersecurity regulations. The most comprehensive framework established to date is the Federal Information Security Management Act (FISMA).

Aligned closely with FIPS and NIST 800 guidelines, the act sets standards for first- and third-party compliance. If you operate in the government sector, check out what FISMA means for you and how you can monitor FISMA compliance.

In the defense sector, businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI).

They must also comply with the new Cybersecurity Maturity Model Certification (CMMC), which requires defense contractors to undergo assessments of their security postures. Find out if your business is ready for the CMMC.

4. Energy Sector

The Colonial Pipeline breach is the most recent in a long line of cyberattacks against the U.S. energy sector, but it won’t be the last.

Bitsight research finds that 62% of oil and energy companies are at heightened risk of ransomware attacks due to their weak cybersecurity performance. And nearly 100 of these organizations are 4.5 times more likely to experience such an attack.

It’s critical that these companies immediately assess their security programs to discover any gaps, particularly around configuration management, patching, vulnerability management, and endpoint security.

They must also ensure that they comply with the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) cybersecurity standards. Read about effective strategies for achieving NERC-CIP compliance.

Lastly, energy companies must comply with the Federal Energy Regulatory Commission's (FERC) Critical Infrastructure Protection (CIP) Standards.

5.  Consumer Businesses

Businesses that have direct contact with consumers, such as restaurants, retailers, and consumer product companies, are increasingly using digital technologies and data initiatives to improve the customer experience.

While customer data is necessary for these interactions, legislation requires that businesses protect and ensure consumer data privacy.

For instance, the General Data Protection Regulation (GDPR) instituted new requirements for how businesses – including U.S. businesses – collect and store the private data of European Union citizens.

Fines for non-compliance are high; up to €20,000,000 or 4% of global revenue, and the EU is not shy about enforcing them.

In 2018, the California Consumer Privacy Act (CCPA) enacted similar legislation.

Other states are following suit. In May 2021, the Commonwealth of Virginia passed a Consumer Data Protection Act, which adds data protection assessment requirements.

Consumer businesses who handle credit card payments must also follow regulations from the Payment Card Industry Security Council’s Data Security Standard (PCI DSS) which stipulates standards for securing cardholder data.

6. Publicly Traded Companies

In 2023, The Securities and Exchange Commission (SEC) has implemented new rules regarding cybersecurity disclosure for publicly traded companies.

These rules create new obligations for reporting material cybersecurity incidents and disclosing critical information related to cybersecurity risk management, expertise, and governance.

Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.

The SEC also encourages companies to have policies and procedures in place to prevent insider trading based on nonpublic information about cybersecurity risks and incidents.

Failure to comply with these rules can result in regulatory action, investor lawsuits, and potential reputational damage.

While cybersecurity compliance is an essential goal if your organization operates in these sectors, you can also mature your cybersecurity program by modeling it after common cybersecurity frameworks like NIST, ISO 27000, and CIS 20.

Use Bitsight Security Ratings to assess and score your cybersecurity performance and continuously monitor your third parties to ensure they don’t pose a hidden risk to your network. With frameworks as your guidepost and the insight that Bitsight brings, you can better understand what regulators are looking for and continue to mature your cybersecurity performance.