Insights blog.

Bitsight, the Standard in Security Ratings, has established itself as not only a clear leader in security ratings but now also in the burgeoning field of data privacy.

In an effort to demonstrate to its customers how seriously it takes protecting their data, and to lead the market to implement more comprehensive data privacy systems and practices, Bitsight is now the proud recipient of TrustArc’s TRUSTe APEC CBPR Enterprise Certification and the TRUSTe APEC PRP Enterprise Certification.

In order to receive this designation, Bitsight completed a demanding certification process based on a comprehensive set of requirements governing data privacy management practices, including the privacy standards set forth in the APEC Cross Border Privacy Rules (CBPR) and the APEC Privacy Recognition for Processors (PRP) Systems. These practices are further detailed in the TRUSTe Enterprise Privacy & Data Governance Practices Assessment Criteria.

The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will also apply to the critical Information and Communication Technology (ICT) service providers they are working with.

In light of recent significant attacks targeting the U.S. government, the Biden administration issued an Executive Order (EO) on cybersecurity on May 8, 2021.

Overall, the EO starts to fill in some critical gaps in US government cybersecurity capabilities. The EO is designed primarily to protect Federal infrastructure, but will also have significant impact on private sector service providers (e.g. software providers) who will now be required to meet new security requirements in order to do business with the U.S. government.

Recently, the National Institute of Standards & Technology (NIST) released a guide for federal agencies to apply the NIST Cybersecurity Framework to government affairs. This comes during a time of heightened attention on the government’s cybersecurity efforts leading up to the election.

In the upcoming months, the Cybersecurity Maturity Model Certification (CMMC) will go live. Thousands of third party assessors will begin cybersecurity assessments of hundreds of thousands of U.S. Defense contractors.  What will the assessors find? 

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which include the FRB, FDIC, NCUA, OCC, and CFPB.

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong chance this could have been executed by a state-based actor.

Schools and colleges are facing an alarming increase in cybersecurity incidents. Some hackers seek ransoms while others see value in scooping up personally identifiable information to sell to identity thieves.

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability of bulk electric systems (BES).

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June 2018 and will be enforced later in 2019.

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations — known as 23 NYCRR Part 500 — went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

After years of debate over whether to impose new cybersecurity regulations on companies,  General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay fines under the new rules and cookie disclosure notices are popping up on more websites than ever. 

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high common level of security of network and information systems within EU.” Network and information systems, and the essential services they support, play a vital role in society; their reliability and security are essential to everyday activities.

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the Asia Pacific region: most notably in Singapore, Australia, and Hong Kong. This year, one new requirement from 2017, the Securities & Futures Commission’s Guidelines, go into effect.