Riding the wave of cybersecurity regulations
The tides are turning for cybersecurity regulation and enforcement. And if businesses do not adequately prepare, a wave—in the form of a breach, attack or hefty government fine—may pull them under. The good news? With pre-planning and a tailored risk-management approach, companies can avoid potential non-compliance while increasing their overall cyber resiliency.
Over the past few years, businesses have been confronted with a steady increase in government rules. In 2023 alone, the Federal Trade Commission (FTC) finalized the implementation of the Safeguards Rule, mandating that non-banking financial institutions, such as automotive dealers and mortgage brokerages, maintain comprehensive security programs to protect consumer data. Last December, a U.S. Securities and Exchange Commission (SEC) rule also went into effect, mandating that public companies disclose material threats and breach incidents and provide an annual report on their cybersecurity risk management, strategy and governance.
Soon, the U.S. Centers for Medicare and Medicaid Services (CMS) is expected to unveil rules requiring hospitals to meet basic cybersecurity standards to receive federal funding. If the stream of announcements from federal agencies like the FTC, SEC and CMS are any indication, we’ve entered a more modern and rigorous phase of cyber oversight. And that could be a good thing—if companies leverage it as an opportunity to be more strategic with their cybersecurity practices. Regardless of their current processes, or lack thereof, there are vital takeaways companies should keep in mind as they attempt to ride the wave of cybersecurity regulations.
Cybersecurity is an essential business function. Cybersecurity protocols can help companies meet government compliance requirements. However, the goal of integrating these practices into their daily operations should extend well beyond avoiding government penalties and fines. A comprehensive cybersecurity strategy is critical for safeguarding their data, reputations and continuity. As the Cybersecurity and Infrastructure Security Agency, better known as CISA, states, “developing and implementing tailored cybersecurity plans and processes is key to protecting and maintaining business operations.” Companies should prioritize and cultivate a cybersecurity culture, with buy-in from the executive team to junior employees.
Risk management, not box-checking, is the best approach. Contrary to public opinion, compliance does not lead to security. Traditionally, regulations like the Health Insurance Portability and Accountability Act (HIPAA) have served as the baseline. The latest government rules reflect a push—or a financial incentive—to look at cybersecurity through a risk-management lens. Consider the amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which requires assessors and auditors to consider covered entities’ implementation of recognized security practices when determining potential fines, audit results or HIPAA violations. Utilizing the recommended standards, guidelines and best practices, businesses should implement customized controls to address vulnerabilities within their organizations, industries and client bases. By adjusting processes to meet their specific threat landscape, the goal is to better prevent, detect and respond to potential incidents.
Companies should create a cybersecurity chain of command. Developing a cybersecurity strategy is essential but will only serve its intended purpose if implemented or maintained correctly. Companies should designate who oversees their processes and practices to ensure maximum effectiveness. They should surround that individual or team with internal or external support, such as a third-party cybersecurity firm. As part of their efforts to build a cybersecurity culture, these individuals should guide the companies’ efforts to educate employees on potential security risks. Ideally, the appointed leaders should also monitor the companies’ cyber insurance policies and oversee their use during responses and recoveries, as needed.
Government cybersecurity regulations are crafted to help reduce organizations’ risk and boost their overall protection. But these requirements are often the bare minimum—not the end-all or be-all.
The latest torrent of rules, including those expected from CMS, reinforces the increasing need for companies to stop chasing the government compliance checkbox. Instead, they should take a nimbler risk-management approach that will allow them to adapt if—or when—their industries enter the cybersecurity spotlight.
By integrating tailored security practices and processes into their organizations in advance, they can ensure continued compliance, stave off attacks and ensure greater cyber resiliency.
Editor’s note: Christopher Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm providing tailored cybersecurity, IT and security compliance services. The opinions expressed are those of the author.