The Who, What, When, Where and Why of All Major Cybersecurity Regulations.
The cybersecurity regulations are coming. Many of them are already here. Keeping up with the latest cybersecurity regulations can be daunting and steal focus from your business’ core competencies. How you handle compliance with these requirements will greatly impact your bottom line- companies who do not comply with cybersecurity requirements may face hefty fines or loss of contracts, while companies who adopt early are lauded as industry leaders.
We rounded up the seven biggest cybersecurity regulations- NIST, DFARS, GDPR, NYDFS, HIPPA, FISMA, and PCI- and key requirements of each to give you a better idea of where your organization stands.
Want to be compliant but aren’t sure where to start? Let us handle it. Typically, outsourcing your cybersecurity compliance efforts costs less than 1% of potential fines. How’s that for ROI?
NIST - US National Institute of Standards and Technology Cybersecurity Framework
Who: Any company that wants to do business with the US government or act as a Department of Defense (DoD) contractor.
What: Framework for cybersecurity understanding and improvement. The core of the framework consists of five continuous functions- Identify, Protect, Detect, Respond, and Recover. These functions help organizations gain better understanding of their risk management lifecycle.
When: NIST is a framework rather than a regulation, so different agencies have different dates for requiring compliance.
Where: Primarily the US, though it is used globally as a template for cybersecurity strategy, and international companies wishing to do business with the US government must also comply.
Why: NIST is the standard for the US government, and therefore is the standard for any company that wants to do business with them. NIST is also a great place to start for companies who want to improve their cybersecurity posture.
DFARS - Defense Federal Acquisition Regulation Supplement
Who: All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI).
What: DFARS points to NIST SP 800-171. It is a guideline for federal agencies to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations. There are 110 controls within this guideline, including mandates for SIEM, multi-factor authentication, cybersecurity training, encryption (at rest and in-transit), and written security policies and protocol.
When: All DoD contractors should be compliant as of December 31, 2017.
Where: Everywhere. DFARS impacts companies that act as contractors for the US Department of Defense, regardless of where that company is based.
Why: DFARS is mandatory for all DoD contractors. If any of your business involves defense contracting, compliance is crucial. Disregard of these requirements can lead to criminal, civil, administrative, or contract penalties.
NYDFS - New York Department of Financial Services Cybersecurity Requirements
Who: All financial services organizations doing business in the state of New York.
What: Set of requirements, similar to the GDPR, mandating implementation of a robust cybersecurity program. The NYDFS requires implementation of a CISO role, written cybersecurity policies and incident response plans, continuous network monitoring, and periodic risk assessments.
When: Audits start February 15, 2018.
Where: Technically just New York state, but any company doing business there (meaning having offices, employees, or clients) must comply, and other states are looking at similar programs. If your company is not impacted by these regulations, the proactive approach would be to use them as a guideline for your cybersecurity strategy.
Why: Fines. Though specific fines have not been set, experts believe they will be similar to fines for the existing New York Banking Law, which uses the following benchmarks:
$2,500 per day during which a violation continues
$15,000 per day in the event of any reckless or unsound practice or pattern of misconduct
$75,000 per day in the event of a knowing and willful violation
GDPR - European Union General Data Protection Regulation
Who: Every organization both inside and outside of Europe that holds or processes the personal data of individuals residing in the European Union- Cloud service providers are not exempt from GDPR enforcement, and will hold equal responsibility with businesses under the regulation.
What: A massive set of regulations mandating a transparency framework that will drastically change how companies handle data. The GDPR requires all organizations to: map and classify personal data; perform risk assessments; incorporate privacy protections into all new business operations and practices; employ dedicated data protection officers; monitor and audit compliance; and document anything having to do with data as well as everything having to do with compliance.
When: Non-compliance fines will be imposed starting May 25, 2018.
Where: Everywhere. Any company processing the personal data of anyone residing in the European Union, regardless of the company’s location, is affected.
Why: Fines. Organizations in breach of GDPR can be fined up to 4% of their annual global revenue or €20 Million (whichever is greater).
Worried about the GDPR? Our blog post on GDPR compliance will help you get started.
HIPPA - Health Insurance Portability and Accountability Act
Who: Health insurance companies, HMOs, health plans, doctors, clinics, psychologists, chiropractors, nursing homes, pharmacies, and business associates contracted work with those entities.
What: Set of regulations to protect patient privacy. HIPPA emphasizes risk management, and requires covered entities to consider Administrative, Physical, and Technical safeguards. From a cybersecurity standpoint, HIPPA requires organizations to: limit access to patient health information; encrypt sensitive data at-rest and in-transit; develop a comprehensive Incident Response plan; and incorporate security awareness into annual staff training.
When: HIPPA has been in effect since 1996, and is updated periodically to keep pace with emerging technologies and threats.
Where: The United States. Most countries have their own version of these requirements.
Why: Fines and potential jail time. Fines range from $100 to $50,000 per violation (each compromised record can count as a unique violation), with a maximum penalty of $1.5 million per year. In cases of willful neglect, criminal charges can be filed, with sentences of up to ten years in prison.
FISMA - Federal Information Security Modernization Act
Who: All federal agencies. Private sector companies who are FISMA compliant will have an advantage over non-compliant companies when competing for contracts with federal agencies.
What: FISMA is United States legislation that requires federal agencies to develop, document, and implement an information security and protection program. The primary FISMA requirements include: an information system inventory; risk categorization; security controls; and a system security plan.
When: FISMA was signed into law as part of the Electronic Government Act of 2002.
Where: The United States.
Why: Failure to comply can result in a range of penalties including censure by congress, a reduction in federal funding, and reputation damage.
PCI - Payment Card Industry Data Security Standard
Who: Organizations of any size that process, store or transmit cardholder data. Formal validation of compliance is mandatory for companies accepting Visa and Mastercard.
What: The PCI Data Security Standard specifies twelve requirements for compliance, organized into six groups called "control objectives." Under these objectives, companies must: build and maintain a secure network; protect cardholder data; maintain a vulnerability management program; implement strong access control measures; regularly monitor and test networks; and maintain an information security policy.
When: Originally implemented in 2004 and updated periodically to address emerging technologies and threats.
Why: Fines. Fines range from $5,000 to $500,000, which is levied by banks and credit card institutions. Even if companies are compliant, breaches can still occur. Fines for breaches range from $50-$90 per compromised record, and a breach may even result in the termination of credit card acceptance by a merchant’s credit card account provider.
Let Us Help
At Bluestone Analytics, we specialize in helping businesses understand these regulations and achieve their compliance goals. If you are interested in learning more about how we can help your organization achieve compliance with these or other security regulations, contact us.