Cybersecurity and regulatory compliance are becoming increasingly entwined, especially regarding businesses for which consumer data is a key resource. Learning more about various cybersecurity compliance laws in 2021, which may apply to you, trends in the regulatory landscape, and external forces pushing this legislation is key to keeping your business on the right side of the law.
With more data than ever being siloed and used by businesses, consumer and governmental concerns are understandably heightened. On top of the financial and reputation damage posed by cyberattacks, such as data breaches or ransomware, businesses now also face the possibility of hundreds of millions of dollar fines as well as civil suits.
LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, and more.
State-by-state Data Privacy Regulations
Individual states implementing state-specific privacy bills are not exactly new. However, the momentum behind state-level legislation has been growing. Especially since California passed the CCPA (California Consumer Privacy Act) in 2018. One of the most widely known and comprehensive bills, it went into effect in January 2020. The SHIELD ACT adopted in the state of New York is another recent high-profile example.
According to The IAPP Westin Research Center, as many as 30 states have comprehensive privacy bills on the way at various stages. From just being introduced to being considered by state legislative bodies to having been signed off.
The same goes on a global scale, with Europe’s GDPR (General Data Protection Regulation) and other region legislature presenting major challenges for international business operations.
Organizations need to have the leadership and flexibility in place to be able to quickly adopt and stay compliant with an increasingly diverse regulatory network. Bills also typically mandate both consumer rights and business obligations, so organizations must be sensitive to both facets.
At the same time, any federal bodies or organizations involved with federal bodies (such as cloud services), need to be sensitive to compliance requirements with FISMA, FedRAMP, and other legislation.
Adapting in the Wake of the COVID-19 Pandemic
The COVID-19 pandemic has exasperated the challenges faced by organizations in staying compliant with cybersecurity regulations. Continued adoption of remote workforces and an increasing reliance on cloud surfaces has expanded the threat surface for many organizations.
Businesses will need to implement additional protective security arrangements to maintain the same level of compliance in a distributed environment. Mobile and endpoint device management, strict/multi-factor authentication, sophisticated role management, heightened encryption, and other controls to limit the data exposure should receive higher priority.
A surge in ransomware, phishing, spear-phishing, and other cyber-attacks followed in the wake of the first lockdown, circa March 2020. The spike in attacks was particularly aggressive in highly regulated industries such as healthcare (HIPAA) and finance.
While we are seemingly on the road to recovery, there is still no guarantee of when everything will go back to normal. Regardless, heightened attention and regulatory concern will put increasing pressure on organizations, especially in sensitive fields, to maintain compliance.
Other Major Cybersecurity Compliance Regulations
2020 has seen a number of major new bills, acts, and other legislation enacted in the arena of cybersecurity compliance. Spurred on by additional challenges from the COVID-19 pandemic, 2021 is set to offer more of the same.
Here are some of the most important recent events in the cybersecurity compliance that you should be aware of:
Internet of Things (IoT) Cybersecurity Improvement Act of 2020
This act was signed into law on 4 December 2020. It mandates a number of requirements regarding the development, adoption, and implementation of security standards for IoT devices by the federal government. While this act only currently applies to IoT devices owned by the federal government, it’s hoped and expected that the spill-over effect will spur consumer device manufacturers to apply similar standards.
Cybersecurity Maturity Model Certification
The CMMC is a unified standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). This program was announced on 31 January 2021. Certification is mandatory for any business that wants to bid on DoD (Department of Defense) contracts. The program is so wide-ranging that it affects over 300,000 organizations down the supply chain.
It’s also worth noting that specific industries are also starting to adopt cybersecurity compliance standards through their relevant regulatory bodies. Take the International Maritime Organization IMO) as an example. It has published cybersecurity requirements that any ship’s annual Document of Compliance audit after 1 January 2021 must pass.
The cybersecurity compliance landscape has never been as diverse as today. While it does signal a promising trend towards the adoption of minimum security standards and global best practices and standards, it does pose extra challenges for businesses and organizations. Compliance is not simply a matter of raising the bar for your organization’s security. It is also avoiding costly fines and potential civil suits.
This highlights the importance of working with a security partner with the experience and global outlook to navigate the complexities of Cybersecurity Compliance Laws in 2021 and beyond.