Stay ahead of the compliance curve. Dive into our playbook curated by Tim Grieveson, Senior Vice President and Global Cyber Risk Advisor. Unearth insights to not just comply but lead in the era of NIS 2, DORA, PS21/3, and emerging cyber regulations.
Cyber Security Regulations
Tags:
What are Cyber Security Regulations?
Cyber security regulations are laws and legal standards that govern how organizations protect their digital assets, data, and networks from cyber threats and data breaches. Cyber security regulations may stipulate the types of controls organizations must deploy, how customer data must be protected, who is accountable and responsible for ensuring security, and how organizations manage risk in third-party vendor networks.
They often vary by industry, region, and the sensitivity of the data involved. For organizations, complying with cybersecurity regulations is crucial not only for protecting sensitive information but also for avoiding penalties, legal consequences, and reputational damage.
What Are the 3 Main Cybersecurity Regulations?
In the U.S. and globally, several key cybersecurity regulations play a significant role in shaping security practices:
- The General Data Protection Regulation (GDPR): A comprehensive data protection law that applies to organizations operating in or doing business with the European Union. It focuses on protecting individuals' personal data, granting them rights over their information, and imposing strict obligations on data processors and controllers. Penalties for non-compliance can be substantial.
- The Health Insurance Portability and Accountability Act (HIPAA): This U.S. law applies to the healthcare sector, specifically focusing on protecting patients' sensitive health information. HIPAA mandates that healthcare organizations implement administrative, physical, and technical safeguards to secure electronic health records (EHRs) and other forms of personal health information.
- The Payment Card Industry Data Security Standard (PCI DSS): This set of security standards is designed to protect payment card information. It applies to all organizations that handle credit card transactions and requires stringent security measures to protect cardholder data, including encryption, access control, and regular vulnerability testing.
Regulation of Cybersecurity in the U.S.
In the United States, cybersecurity regulation is fragmented, with different laws applying to different sectors and levels of government. Key federal agencies like the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) oversee general cybersecurity practices, while sector-specific regulations target critical industries like healthcare, finance, and energy. Some of the major cybersecurity regulations in the U.S. include:
- The Cybersecurity Information Sharing Act (CISA): Encourages sharing of cybersecurity threat information between the private sector and the government to improve response and defense mechanisms.
- The Gramm-Leach-Bliley Act (GLBA): Governs financial institutions, ensuring they protect consumers’ private information and disclose data-sharing practices.
- The Federal Information Security Management Act (FISMA): Requires federal agencies to develop, document, and implement security programs for protecting their information systems.
At the state level, several states like California have introduced their own stringent laws, such as the California Consumer Privacy Act (CCPA), which provides California residents more control over their personal information and imposes strict penalties for data breaches.
What's the Key to Complying with Cyber Security Regulations?
To comply with increasingly complex regulations, an organization needs clear visibility into its digital ecosystem and attack surface. Organizations must also be able to identify risks and the controls in place to mitigate it, and measure security performance over time to adjust security controls and improve digital risk protection. Organizations typically follow a structured approach that includes:
- Risk Assessment: Identifying vulnerabilities and the potential impact of cyber threats.
- Policies and Procedures: Implementing security controls and practices that align with regulations.
- Training and Awareness: Educating staff on security best practices and their role in compliance.
- Auditing and Monitoring: Regularly auditing systems and processes to ensure they meet regulatory requirements and adjusting them as necessary.
What Are the 5 Laws of Cybersecurity?
Risk leaders and cybersecurity professionals often refer to fundamental principles that guide the protection of systems and data. While not formal "laws," these five concepts provide a framework for understanding critical aspects of cybersecurity:
- Confidentiality: Ensuring that information is accessible only to those who have authorization.
- Integrity: Protecting information from being altered in an unauthorized manner to ensure accuracy and reliability.
- Availability: Ensuring that systems and data are available to authorized users when needed.
- Authentication: Verifying the identity of users and systems to prevent unauthorized access.
- Non-repudiation: Ensuring that actions taken by users (like transactions) can’t be denied, often through digital signatures or logs.
What Is the Difference Between Cybersecurity Laws and Regulations?
- Cybersecurity laws refer to the legal mandates enacted by governments to protect against cybercrime, espionage, and other threats. These laws often criminalize certain behaviors, such as hacking or identity theft.
- Cybersecurity regulations, on the other hand, are rules that govern how businesses must protect data, systems, and networks. These regulations focus on prevention and ensuring organizations follow specific practices to safeguard information.
The Rise of Cyber Security Regulations
A growing number of cyber security regulations are creating a complex web of compliance requirements for organizations around the world. In analyzing the massive and escalating volume of regulation, a couple of themes emerge loud and clear.
Many elements of cybersecurity regulations are directed at establishing accountability and responsibility to ensure that senior leadership in companies are treating security and risk issues seriously and strategically. Many regulations stipulate information security requirements and controls that organizations must have in place to safeguard customers’ personal data from risk of misuse, unauthorized access, and theft.
Additionally, under many cyber security regulations, organizations are now liable for the actions or failings of their vendors and third parties. These regulations recognize the risk within supply chains and the importance of having effective risk management processes to support privacy obligations and information passed on to third parties.
To meet these new mandates, organizations must adopt a cybersecurity model that focuses on monitoring, managing, and reducing risk through security controls and regular board-level reporting. Organizations must also continuously assess and monitor their security posture and performance as well as that of their partners, third-parties, and all those connected to their network to identify security gaps and prioritize remediation of risk.
Managing Risk and Cyber Security Regulations
Data breaches have become the new “business normal.” Indeed, in a 2019 report, Carbon Black reported that in the past 12 months, 88% of global businesses had experienced one or more breaches. In response to this growing onslaught of cyber threats, new regulations are being implemented to protect organizations, their data, and their customers. From the EU’s General Data Protection Regulation (GDPR), new SEC cybersecurity disclosure rules, and HIPAA to PCI security standards and privacy laws throughout the world, cyber security regulations have never been as voluminous or complicated.
To comply with increasingly complex cybersecurity regulations, organizations need powerful tools for monitoring cybersecurity risk, managing cybersecurity governance, and implementing cybersecurity best practices.
Bitsight can help. With a suite of cyber risk management solutions backed by objective security ratings, Bitsight helps organizations identify risk in their digital ecosystems and supply chains, enabling security teams to focus resources on remediation and compliance.
New SEC Cybersecurity Rules Present Opportunities
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) voted to adopt new cybersecurity requirements for publicly traded companies, creating new obligations for reporting “material” cybersecurity incidents and requiring more detailed disclosure of cybersecurity risk management, expertise, and governance. Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.
While some may view this as another new regulation that diverts attention away from their day-to-day responsibilities, many cybersecurity leaders are embracing this momentous occasion as strategic advancement to cement their critical role in the business:
- Stronger relationship with C-suite and Board
- Using performance metrics to describe a successful program
- Financial quantification of risk
- Assure all stakeholders, but particularly shareholders
- Grow budget
- Differentiate their company in the market
The new SEC regulations offer cybersecurity professionals an opportunity to become business leaders, critical to achieving risk reduction and business growth goals but there’s one critical element underlying these opportunities: cyber risk benchmarking.
Independent benchmarking is an objective analysis of an organization’s cybersecurity performance based on quantitative data. Independent benchmarking data is based on non-intrusive, continuous, comprehensive data collection which allows for the creation of comparable, reliable insights and metrics. Independent benchmarking allows security leaders to compare their organization’s cybersecurity performance with peers or across entire sectors and industries on an ongoing basis. This type of benchmarking helps leaders know how their programs are performing over time and whether that performance is aligned with industry standards of care.
Bitsight helps organizations perform independent benchmarking by evaluating the security performance of organizations in a continuous, non-intrusive manner. Our ratings and analytics enable business leaders to understand their organization’s security performance across 23 different risk vectors. Capabilities like Bitsight Peer Analytics allow CISOs to analyze their organization’s performance against industry and sector peers of their choosing. Bitsight delivers a quantitative, objective analysis of organizational cybersecurity performance compared to tens, hundreds, thousands, or even hundreds of thousands of peers, all immediately available.
Many companies find that publicly disclosing independent benchmarking data is a highly effective way of communicating cybersecurity performance to shareholders and the broader marketplace. This helps improve shareholder confidence and trust in their investment decisions. Some examples of disclosing benchmarking data include:
- Equifax includes cybersecurity performance benchmarks in its Annual Security Report. Equifax focuses on its performance compared to peers in the Finance and Technology sectors. Equifax notes that its security capabilities “ranked in the top 1% of Technology companies and top 3% of Financial Services companies analyzed.”
- Darling Ingredients leverages cybersecurity performance benchmarks in its Annual ESG Report, describing its cyber program as “being in the top 10% of the Energy/Resource Industry.”
- Schneider Electric includes cybersecurity performance benchmarks in its Annual Sustainability Report, describing its program as being ranked “in the Top 25% in external ratings for Cybersecurity performance.”
Other companies find that disclosing their individual security performance rating meets investor requirements. For example, DHL includes its own cybersecurity performance rating in their Annual Earnings Results presentation.
Shareholders and investors value meaningful data that helps them truly understand the risk of an organization. And organizations trust Bitsight’s data for independent benchmarking and disclosure because its analytics are strongly correlated to cybersecurity incidents. In a recent independent study by the Marsh McLennan Cyber Risk Analytics Center, a total of 14 Bitsight analytics—including the Bitsight Security Rating—were found to be strongly indicative of incident likelihood. Bitsight is still the only security ratings provider with multiple, independent third-party studies proving that its analytics have statistically significant correlation to critical outcomes, including cybersecurity incidents, data breaches, and company stock performance.
In summary, independent benchmarking data is quickly becoming a critical data point for business leaders who are evaluating their new obligations, understanding their cybersecurity programs, and crafting effective disclosure strategies. Please reach out to a Bitsight representative who can help you understand your organization’s cybersecurity performance and industry benchmarks.
Bitsight Security Ratings
Bitsight Security Ratings provide organizations with a powerful tool for managing compliance with cyber security regulations. Bitsight ratings provide a data-driven measurement of the cyber security performance of an organization as well as its vendors, partners, suppliers, and acquisition targets. Bitsight Security Ratings can immediately expose cyber risk within a company’s IT environment or its supply chain. Using security ratings, security teams can work quickly to address security issues, prioritize resources, and bring their company and partners into compliance with cyber security regulations.
Bitsight Security Ratings are based on objective, verifiable information. Bitsight uses more than 120 data sources to analyze an organization’s security posture, measure its security performance, and identify areas of risk. Using a proprietary algorithm, Bitsight Security Ratings are based on analysis of four areas of security data: evidence of compromised systems, issues with security diligence, risky user behavior, and publicly disclosed data breaches.
Bitsight Security Ratings are calculated daily, and Bitsight provides alerts when an organization’s security rating changes significantly or when there’s risk identified in your network or vendor pool.
Solutions for Compliance with Cyber Security Regulations
In addition to Security Ratings, Bitsight provides solutions that can ensure compliance with cyber security regulations.
- Bitsight Security Performance Management (SPM) is a cybersecurity governance and exposure management solution that gives CISOs unique analytics insights. Prioritize the right activities to reduce exposure, while also setting the right targets and improvement plans to manage cyber risks. Risk leaders use SPM to confidently tackle cyber risk governance and external attack surface management, then confidently communicate and prove program performance.
- Bitsight Third-Party Risk Management exposes cyber risk within the supply chain. With automated tools that continuously measure and monitor the security performance of vendors, Bitsight helps organizations comply with cyber security regulations concerning third-party risk. Bitsight accelerates onboarding while prioritizing resources to drive efficient risk reduction across the vendor portfolio.
Why Bitsight leads the security ratings industry
An industry-leading solution
Bitsight is the world’s leading provider of cyber risk intelligence, transforming how security leaders manage and mitigate risk. Leveraging the most comprehensive external data and analytics, Bitsight empowers organizations to make confident, data-backed decisions and equips security and compliance teams from over 3,300 organizations across 70+ countries with the tools to proactively detect exposures and take immediate action to protect their enterprises and supply chains. Bitsight customers include 38% of Fortune 500 companies, 4 of the top 5 investment banks, and 180+ government agencies and quasi-governmental authorities, including U.S. and global financial regulators.
Extensive visibility
Bitsight operates one of the largest risk datasets in the world. Leveraging over 10 years of experience collecting, attributing, and assessing risk across millions of entities, we combine the power of AI with the curation of technical researchers to unlock an unparalleled view of your organization. Bitsight offers more complete visibility into important risk areas such as botnets, mobile apps, IoT systems, and more. Our cyber data collection and scanning capabilities include:
- 40 million+ monitored entities
- 540 billion+ cyber events in our data lake
- 4 billion+ routable IP addresses
- 500 million+ domains monitored
- 400 billion+ events ingested daily
- 12+ months of historical data
Superior analytics
Bitsight offers a full analytics suite that addresses the challenges of peer comparison, digital risk exposure, and future performance.
Ratings validation
Bitsight is the only rating solution with third-party validation of correlation to breach from AIR Worldwide and IHS Markit.
Quantifiable outcomes
Bitsight drives proven ROI with significant operational efficiency and risk reduction outcomes.
Prioritization of risk vectors
Bitsight incorporates the criticality of risk vectors in to calculation of Security Ratings, highlighting risk in a more diversified way to ensure the most critical assets and vulnerabilities are ranked higher.
