A Wake-Up Call for Emerging Cybersecurity Compliance Changes
While it is not an exciting topic, I find I am passionate about compliance. Most cybersecurity professionals agree that ‘compliance’ does not necessarily equal ‘secure’—many companies that have been breached were fully compliant—but compliance can create a baseline level of security and can drive budget. With that in mind, we need to remember that not only is the threatscape changing every year, but so are the standards and regulations we must meet as CISOs. Compliance is also important to prove we follow best practices in case we do suffer a breach and are involved in a class action lawsuit or face the possibility of fines.
Many of the U.S. federal compliance standards tie back to the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). The new 2.0 version of the framework is out, and one of the big changes is that it has added a sixth function. The “Identify/Protect/Detect/Respond/Recover” incident response life cycle is the same, but “Governance” was added inside the circle. This new governance function includes:
- Organization context
- Risk management
- Supply chain
- Roles and responsibilities
- Policy, process, procedures
- Oversight
While most companies have a documented security program, it will be important to ensure that these new functions are addressed. In addition, I find it can be helpful to use the NIST framework terms to make audits smoother. So, take some time to review what is new with the updated version of the NIST CSF.
Next, for anyone that has credit cards as part of their business model the Payment Card Industry (PCI) Data Security Standard (DSS) has released version 4.0. There has been a change to the risk approach as well as technical guidance added around areas like protecting JavaScript environments (due to attacks used by groups like Magecart) and APIs. So, here is an area where you need to review how your program works or, if you have outsourced payment processing, to make sure the vendor is up to date with the new standard.
The European Union (EU) is a key region to keep an eye on when it comes to emerging regulations. We have seen them set the standard for privacy that many other countries and U.S. states now follow. We continue to see the EU drive access, transparency and privacy with laws around data sovereignty/localization. On the emerging front, we see the Digital Operational Resilience Act (DORA) focused on the operational resiliency of organizations, as well as their key supply chain vendors. Additionally, the Artificial Intelligence (AI) Act is focused on making sure AI systems are “safe, transparent, traceable, non-discriminatory and environmentally friendly.” Expect to see more customer due diligence questions around these topics, as well. It is time to consider including these topics in your security policy program and, where appropriate, in your technical security controls.
On the threat side, ransomware continues to be a major issue, and we are seeing some lawmakers start to weigh in. Most of the regulations are around notification, but we are also seeing some laws around payments. In the U.S., North Carolina and Florida have started to address this as both states have banned government entities from paying sums connected to ransomware attacks. Other states have proposed similar legislation.
This is a great time to call out the need for a team approach to compliance. With companies often falling under multiple regulations/standards and operating in multiple jurisdictions, you will need your legal team to track what laws apply. You also should encourage your vendor management team to ensure that supply chains are compliant. The IT and InfoSec teams need to make sure that the process and technical controls in place are actually compliant. And finally, the risk and audit teams are responsible for validating the program.
The last topic is not directly related to compliance but is still worth mentioning. Many cybersecurity leaders are tracking a concerning issue: CISOs being criminally charged or included as part of a Security and Exchange Commission (SEC) complaint. This has served as a wake-up call for cybersecurity leaders to make sure they have the right protections like insurance for director and officer coverage or fiduciary liability and what the company’s stance is on providing legal support for any required defense.
So, as the year kicks off, now is a good time to think through what updates to your compliance program might be needed.
