Changing Face of Cyber and IT Compliance Calls for Automated Compliance

Introduction

The escalating number of cyber attacks and data breach incidents around the world has made cyber resilience a top priority for regulatory authorities. There has been a significant uptick in new IT regulations and regulatory updates in recent years aimed at protecting IT and cyber infrastructure and assets of organizations.

The exponential increase in regulatory intensity poses a major and complex challenge for IT risk and compliance management functions of organizations. But given the high cost of non-compliance, organizations have no choice but to keep track of evolving regulations and ensure error-free compliance.

In this blogpost, we will look at some recent developments in IT and cyber regulations, the challenges faced by organizations due to the high volume and complexity of regulatory issuances, and how automated compliance can help overcome the challenges.

Recent Developments in IT and Cyber Regulations

Most IT compliance standards, regulations, and frameworks are now focussing on customer data privacy, better customer control over their data, and disclosure of breach incidents as well as IT security compliance processes.

Here are some of the recent developments in IT regulations and frameworks:

1. SEC Cybersecurity Rules

The Securities and Exchange Commission’s (SEC) new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules (rules) came into force in December 2023.

The SEC announced some key changes to the reporting requirements in Forms 8k and 10k. Under the new Item 1.05 of Form 8-K, registrants have to disclose cybersecurity incidents within four days of determining materiality. They have to disclose the material aspects of the incident’s scope nature and timing as well as the impact or likely impact on the organization. Within a month of coming into force, several companies filed breach notifications including Microsoft Corp, VF Corp, Hewlett Packard Enterprise Co, and First American Financial Corp.

Under regulation S-K Item 106, they also have to disclose details about their cyber security risk management policies and procedures, management’s role in evaluating and managing material risks from cybersecurity threats, and the board of director’s oversight of these risks. Annual reports for fiscal years ending on or after December 15, 2023 had to include these disclosures. By January 2024, three filings were reported by Lockheed Martin Corp, Schlumberger Limited / NV, and United Rentals Inc. The filings by all three companies demonstrated more than double the mention of cybersecurity as compared to their filings the previous financial year.

2. US State Laws

In the US, privacy laws are not the sole responsibility of the federal government. Individual states have the power to issue state specific regulations. In addition to California, Virginia, Utah, and Colorado, the following states have recently announced privacy regulations.

• Montana (SB 384) and Oregon (SB 619) are revising consumer privacy laws and establishing rules for use of personal data
• Tennessee passed the "Tennessee Information Protection Act" as an amendment to the Tennessee Code
• Texas aims to regulate the collection, usage, management and processing of customers’ personal data with HB4 and impose civil penalties
• Indiana added a new article in the Indiana Code to secure consumer data protection rights, including the right to know, correct, delete, and opt out of data processing measures
• Rhode Island amended its Identity Theft Protection Act of 2015:
  • Adults affected by data breach will now get five years of credit monitoring and fraud resolution services from the state and municipalities
  • Minors will get the same till they turn 18, with an additional two years after that
  • Notification timelines were shortened to within 30 days of a confirmed breach, and if more than 500 residents of the state are affected then the Attorney General and main credit reporting agencies must be notified

3. White House Executive Order

In May 2021, President Biden issued Executive Order (EO) 14028 on “Improving the Nation’s Cybersecurity” to ensure that agencies improved their cybersecurity and software supply chain integrity. The Executive Order: 

• Makes it mandatory for service providers to share cyber incidents and threat data that could impact government networks. It also establishes some basic security standards for the development of any software sold to the government.
• Requires government networks to move to secure cloud services, zero trust architecture, and mandatorily requires multifactor authentication and encryption to be completed within a specified time period. 
• Establishes a Cybersecurity Safety Review Board, chaired by government and private sector representatives to analyze major incidents and recommend strategies to improve security.

4. EU DORA

The European Parliament adopted the Digital Operational Resilience Act (DORA) in 2022 with the objective of strengthening operational resilience of the financial sector in the region. Regulated entities will be required to be compliant with the requirements by 17 January 2025. The Act outlines 5 key functional pillars –

• ICT Risk Management Framework aligned with ISO 27, 000 that requires organizations to map out its business functions, assets, interdependencies and set up an information security management system (ISMS) plan
• ICT Incident Management that requires organizations to manage the entire lifecycle of an ICT incident 
• Digital Operational Resilience Testing mandates independent testing, including threat penetration tests
• ICT Third Party Risk Management requires organizations to establish a third-party register, including security clauses in the contract, and covers concentration risk as well
• Threat Intel and Sharing requires organizations to share technical intel on IOC, blacklisted IPs and malwares, as well as specific threats on phishing campaigns and patterns, fake identities

5. EU Cyber Resilience Act

This was proposed in September 2022 and approved by the European Parliament in March 2024. It establishes some standardized cybersecurity rules for the development and lifecycle of care of any products with digital components . It applies to manufacturers of products with digital elements (PDE). This includes both hardware and software such as antivirus products, VPNs, smart home devices, connected toys, and wearables. Manufacturers have to implement some essential cybersecurity requirements as specified by the Act. They have to implement conformity assessments on all PDEs and must notify relevant authorities about vulnerabilities and cybersecurity incidents.

6. Frameworks

In addition to these evolving regulations, there are also several industry specific IT compliance frameworks that lay down data privacy and cyber security rules.

• The PCI Security Standards Council introduced the PCI DSS 4.0 to keep pace with the rapidly changing technology and risk landscape within the payments sector.
  • It was expanded to include cloud service providers and introduced the concept of a customized approach where organizations can implement risk management controls best suited to their environment.
  • It emphasized a risk-based approach, presents a wider scope of requirements and emphasized greater focus on data protection, continuous monitoring and testing.
• In the medical sector, HIPAA saw some significant revisions in 2024 that broadened the scope of patent privacy provisions and introduced stricter cybersecurity requirements.
  • This mandated risk assessments, incident response plans, and data encryption practices and updated breach notification requirements.
  • It also gave patients greater control over accessing or amending their health data.
• This year also saw the release of Version 2.0 of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
  • It now covers not just organizations operating on critical infrastructure, but all organizations and aims to help them manage risks better.
  • The updated framework focuses on governance and supply chain cyber security.

The IT Regulatory Compliance Challenge

The task of regulatory compliance is growing increasingly complex and posing a significant challenge for organizations:

• Keeping pace with rapidly changing regulations and new regulation updates
• Continuously mapping new and updated regulations and frameworks to organizational policies and controls.
• Mapping and ensuring compliance with changing regulations at national, state and even global levels depending on breadth and reach of the organization’s business
• Increasing complexity of regulatory requirements with overlapping jurisdictions of different authorities
• Rising cost of compliance management
• Increasingly significant impact and cost of non-compliance.

Automated Compliance is the Future!

Legacy manual methodologies cannot keep pace with the pace of regulatory change or quickly adapt existing compliance processes accordingly. Organizations must implement automated compliance measures. This involves leveraging technologies like Artificial Intelligence, machine learning, and other cognitive technologies to continuously monitor and simplify IT regulatory compliance processes.

Automated compliance solutions provide a range of automated workflow capabilities that replace manual processes across functions like self-assessment, corrective action planning, controls analysis and testing, and regulatory horizon scanning. Compliance monitoring tools aligned with organization’s security policies and IT and cyber compliance management program help ensure there are no gaps or blind spots.

With compliance automation, organizations can:

• Save time, money, and effort, and simplify the audit process by providing a centralized and easily accessible view of compliance status and data
• Streamline and standardize compliance policies across the organization’s IT infrastructure
• Reduce the risk of non-compliance and penalties with a continuous approach to monitoring, managing third-party risks, and identifying potential threats

Given the complexity of the IT risk and compliance function, organizations are embedding compliance into the development process itself – think “compliance by design”. Compliance testing is embedded into the software or application development process so that lapses or problems are identified early on and mitigated quickly.

How MetricStream Can Help

MetricStream CyberGRC’s integration with AWS Audit Manager enables organizations to streamline, simplify and consolidate IT regulatory compliance across all relevant frameworks and regulations including PCI-DSS, SOC 2, HIPAA, NIST SP 800-53, NIST CSF, ISO 27001 and more. Organizations can access, maintain, and report on controls, test results, and evidence across cloud and on-premise environments – all at one place. Most important, the autonomous, always-on approach allows organizations to automatically retrieving control testing results and evidence against relevant industry standards and frameworks, enabling them to proactively identify and address issues and efficiently demonstrate IT compliance across the entire IT infrastructure.

With this solution organizations have comprehensive visibility into the performance of their controls and can replace sample testing by implementing more accurate testing against entire population. The regulatory landscape is evolving at an unprecedented pace and organizations must up their compliance game to keep pace. Legacy compliance methodologies are grossly inadequate in this scenario. Automated compliance solutions that leverage cognitive technologies like AI and offer continuous monitoring and easy audit functionalities are essential business investments for organizations across sectors today.

To learn how MetricStream can help you embrace compliance automation, request a personalized demo today.