What’s Next in GRC and Risk Regulations? 10 Key Focus Areas for 2024

Introduction

Like the French proverb says, the more things change, the more they stay the same – except when they speed up! Of course, I added that last part. But when it comes to regulatory change, there does seem to be one constant: expansion. Thomson Reuters says there were more than 230 regulatory alerts a day in 2022. That’s not hard to believe with the escalating levels of regulatory activity around operational resilience, artificial intelligence (AI), cybersecurity, data privacy, and ESG, among others. 

In 2023, we saw some key cybersecurity and digital operational resilience regulations crystallizing in the U.S. and the European Union, setting a precedent for other regions. The regulatory momentum seen in 2023 will continue and likely become more intense in 2024. 

So what’s on the horizon for 2024, and what should you prepare for? Here’s a look at 10 key regulations and focus areas we are watching.

1. AI-Focused Regulations

The growing regulatory focus on AI in recent months is not surprising, considering the exploding use of AI and generative AI (GenAI) across industries. The trend is expected to continue well into 2024 and beyond. 

In January 2023, the National Institute of Standards and Technology (NIST) released the NIST AI Risk Management Framework (AI RMF 1.0), which aims to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” Another major development was the Executive Order published by the White House on the safe, secure, and trustworthy development and use of AI. 

The European Union is also taking steps to regulate the use of AI. In December 2023, EU officials reached a provisional agreement on comprehensive rules to ensure safe and trustworthy use of AI. According to a report from BBC, the EU Parliament will vote on the AI Act proposals this year, with the legislation to not take effect before at least 2025. Additionally, China, Canada, Brazil, South Korea, Singapore, the UK, and the UAE are all in various phases of rolling out AI-related regulations, which are likely to be adopted sooner rather than later. 

Like AI itself, we expect to see these regulations to continue to develop and evolve just as the technology itself does – and as we as an industry employ new use cases of AI for GRC.

2. SEC Cybersecurity Rules

Cyber risk is a top risk faced by organizations today. The risk of cyber attacks and data breaches has been further amplified by the widespread and easy accessibility of AI-based tools, which can be leveraged by cyber criminals to launch attacks on massive scale. Regulatory authorities are hard at work to ensure organizations have necessary measures in place to protect organizational assets and interest of all relevant stakeholders. 

The U.S. Securities and Exchange Commission (SEC) adopted Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules in July 2023. The focus of these rules is for public/listed companies to 

• Implement a robust incident management process with direct reporting to the SEC 
• Periodically disclose details of the expertise of their board and senior management and also their cybersecurity risk management processes/procedures in place 

For risk management, strategy, and governance disclosure requirements, public-listed companies are required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. 

To learn more about the SEC’s Cybersecurity Rules, read our blog "Achieve Compliance with SEC’s New Cybersecurity Rules ".

3. NIST Cybersecurity Framework (NIST CSF)

In addition to regulations, regulators and standard setting bodies also issue guidelines and frameworks to help businesses manage cyber risks effectively. The NIST Cybersecurity Framework is one of the most widely used frameworks by organizations. First published in 2014, the framework provides “a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.” 

The National Institute of Standards and Technology (NIST) released a revised draft of the framework for public comment in the latter half of 2023. The draft update or Framework 2.0, it said, “reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.” According to the official announcement, the final version of CSF 2.0 will be published in early 2024. 

To learn about what’s new in the revised version and how you can achieve compliance, read our blog "Demystifying NIST CSF 2.0: What's New and Why it Matters ". Also, explore how MetricStream can help you get started with NIST CSF with pre-packaged content.

4. Cybersecurity Maturity Model Certification (CMMC)

Another major cybersecurity standard and certification model is the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). CMMC is designed to “enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.” 

The CMMC final rule is also expected this year. In 2023, the Department of Defense sent the draft rule, CMMC 2.0, to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 is a comprehensive framework that aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). The final rule includes some key changes to the CMMC 1.0 and is expected to considerably simplify compliance, reduce assessment costs, enhance accountability, and more. 

Learn how MetricStream can help you achieve CMMC compliance.

5. NYDFS Cybersecurity Regulations

Financial sector is one of the primary targets of cyber adversaries given the amount of data and financial assets at stake. So, the intensifying regulatory focus on this sector doesn’t come as a surprise. 

The New York Department of Financial Services (NYDFS) finalized the amendments to its nation-leading Cybersecurity Regulation in November 2023. Enacted in 2017, the regulation requires covered entities, including banks, insurance companies, and other financial services institutions regulated by DFS, to have effective cyber risk and governance measures in place, including a cybersecurity program for protecting consumers’ private data, well-document policies, a CISO to help protect data and systems; and effective controls, among others. 

The amended regulations mandate enhanced governance requirements, more regular risk assessments, additional controls to protect information systems from unauthorized access, updated notification requirements, and much more. It is important for organizations to keep an eye on the NYDFS Cybersecurity Regulation as it is expected to set a precedent for other states and municipalities. 

Regulated entities need to be compliant with the new regulations by April 29, 2024.

6. Operational Resilience

The regulatory interest and activity on operational resilience of financial sector organizations continues to gain momentum. In the UK, the Bank of England (BoE), Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) jointly published a consultation paper on “Operational resilience: Critical third parties to the UK financial sector (PRA CP26/23 and FCA CP23/30)” last month. The deadline for sending feedback comments is March 15, 2024. The regulators also intend to consult on a joint statement of policy regarding the use of their disciplinary powers over critical third parties. 

Explore how the MetricStream Operational Resilience solution can help you navigate today’s fast-evolving risk landscape. 

In the EU, the Digital Operational Resilience Act (DORA) aims to strengthen Information and communications technology (ICT) and digital risk management with focus on third parties, and promote digital operational resilience in the region’s financial sector. Key requirements span various ICT-focused areas such as risk management framework, incident management and reporting, and digital operational resilience testing program, among others. Adopted by the European Parliament in November 2022, the act requires regulated entities to comply by January 17, 2025. This means that the countdown has already begun – financial sector organizations have just 12 months to ensure compliance with DORA.

Given the growing focus on operational resilience across industries, DORA is a landmark regulation and expected to act as a harbinger of what other sectoral and federal regulatory authorities are likely to follow. 

To learn about the DORA requirements in detail and understand how it impacts your organization and how you can ensure compliance, download our eBook “Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act”.

7. Data Privacy

Protecting Personal Identifiable Information (PII) continues to be a top focus area for regulatory authorities worldwide. 

In the US, the enforcement of the new California Consumer Privacy Act (CCPA) regulations has been deferred until March 29, 2024. In 2020, California voters passed the California Privacy Rights Act (CPRA), which amended the CCPA and introduced additional privacy protections. CPRA established new standards for the collection, retention, and use of consumer data as well as imposed “new obligations governing personal information, including requirements that businesses adopt certain mechanisms permitting consumers to opt out of data sharing.” 

CPRA created the California Privacy Protection Agency (CPPA) to implement and enforce the law by July 1, 2022, with enforcement not to begin until July 1, 2023. However, the agency completed only the first set of regulations under the CPRA on March 29, 2023. 

In the wake of this delay, a California court postponed the enforcement of the new regulations by twelve months. That said, statutory changes under the CCPA went into effect on January 1, 2023, and remain in force. 

In November 2023, the CPPA also proposed a new regulatory framework for “automated decision-making technology” (ADMT), which defines key protections related to businesses’ use of these technologies. The agency has also published the revised draft regulations on  risk assessments and cybersecurity audits. 

Discover how MetricStream can help you strengthen CCPA compliance. 

In the UK, the Department for Science, Innovation and Technology published a statutory instrument in September 2023 to amend the references to ‘fundamental rights and freedoms’ in the data protection legislation. The amended language is to refer to rights recognized under UK law, rather than retained EU law rights. If approved by the UK Parliament, the amendment is expected to come into force in early 2024.

8. Gramm-Leach-Bliley Act (GLBA)

Another key regulation focused on protecting sensitive data, specifically consumer financial privacy, is the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions to explain their “information-sharing practices to their customers and to safeguard sensitive data.” 

In October 2023, 20 years after the GLBA Safeguards Rule first came into effect, the Federal Trade Commission (FTC) amended the rule. As per the latest amendment, non-banking financial institutions will be required to report data breaches to the FTC, affecting at least 500 consumers. The entities must notify the agency “as soon as possible, and no later than 30 days after discovery of the event.” 

The amendment will come into effect 180 days after its publication in the Federal Register. As per reports, this is likely to happen in 2024.

9. Payment Card Industry Data Security Standard (PCI DSS)

Another major standard aimed at protecting sensitive data, specifically cardholder data, is the Payment Card Industry Data Security Standard (PCI DSS). The globally recognized standard, applicable to organizations across industries that store, process, and/or transmit cardholder data, provides a set of technical and operational requirements intended to protect cardholder data. 

The latest version of PCI DSS will come into effect on March 31, 2024. The PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS in March 2022 and gave organizations two years to understand the changes and implement any updates as needed. 

According to the official release, “PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.” 

Explore how MetricStream can help you streamline and strengthen PCI DSS compliance.

10. Fairness and Sustainability

Diversity, equality, and inclusion (DEI) and sustainability are increasingly becoming top agenda items not only for organizations but also for regulators worldwide. In the US, 22 states updated the minimum wage on January 01, 2024. Later in April, the Department of Labor (DOL) is expected to release its final rule amending the regulations on the “white collar” exemptions from the overtime and minimum wage requirements of the Fair Labor Standards Act (FLSA). 

Furthermore, a revised rule by the DOL requiring establishments with 100 or more employees in designated high-hazard industries to submit injury and illness information electronically to the Occupational Safety and Health Administration (OSHA) also took effect on January 01, 2024. 

In the EU, the European Parliament adopted the Corporate Sustainability Reporting Directive (CSRD) in November 2022, with member states required to implement the new rules 18 months later. The CSRD introduces more detailed reporting requirements, enabling investors and other stakeholders to make better-informed decisions on sustainability issues. 

“The CSRD introduces more detailed reporting requirements and ensures that large companies and listed SMEs are required to report on sustainability matters such as environmental rights, social rights, human rights and governance factors,” the European Council said. 

The application of the regulation will be staggered between 2024 and 2028. In the first phase, companies already subject to non-financial reporting directive (NFRD) will be required to report in 2025 on the financial year 2024. 

These are just a few of the regulations businesses should closely watch this year. To successfully navigate the fast-changing regulatory landscape, organizations need an integrated, streamlined, and technology-driven approach to compliance that helps them stay on top of regulatory changes and reduce costs while improving visibility into the overall compliance posture. MetricStream Compliance Management helps organizations get their compliance program up and running quickly and ensure adherence to relevant regulations and industry standards. 

Explore how MetricStream can help you strengthen your compliance function – request a personalized demo today!