Cybersecurity risks are escalating, both in volume and sophistication. Cybersecurity Ventures predicts that by 2025 cybercrime will cost the world economy approximately $10.5 USD trillion annually. The widespread use of digital technologies and the evolution of artificial intelligence (AI) only multiplies the risks and costs. Regulatory bodies around the world are proactively creating new legislation and amending policies to address these increasing concerns.
Cybersecurity rules and regulations vary depending on an organization’s jurisdiction and include governing protocols for the disclosure of a cyberattack. Here are some of the common cybersecurity rules and regulations you need to know about:
General Data Protection Regulation (GDPR)
GDPR is a data protection regulation in the European Union (EU) that requires organizations to disclose cyberattacks that result in the unauthorized access, loss, or destruction of personal data. Regarding cybersecurity, GDPR’s outlined security controls outline an incident response plan (IRP) requirement with step-by-step processes for addressing a data breach. This includes the preparation, identification, containment, eradication, recovery and lessons learned. Specifically, GDPR security controls require notifying the Data Protection Authority within 72 hours if feasible, after becoming aware of the breach and communicating high-risk beaches to affected data subjects.
Digital Operational Resilience Act (DORA)
Effective January 16, 2023, DORA is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA includes guidelines for organizations to run comprehensive digital operational resilience testing at least once a year. The regulation also requires rapid reporting on cybersecurity incidents, visibility into an organization's third-party dependencies, and the ability to respond to audit requests from regulators or customers. The deadline to meet requirements is January 17, 2025.
Financial institutions must be ready to manage an ongoing cyberattack and quickly disclose details to regulators. This will require financial firms to be ready with an early warning system, crisis management and crisis communications plans.
Bank Negara Malaysia (BNM) Business Continuity Management (BCM) Policy Document
A statutory body and the central bank for Malaysia, BNM issued the BCM Policy Document on December 19, 2022 impacting all licensed financial institutions including banks, investment banks, insurers, takaful operators, financial institutions, operators of designated payment systems and approved issuers of electronic money. The policy strives for financial institutions to develop and implement BCM framework, policies and processes, prepare to respond and recover from operational disruptions, and preserve the continuity of critical business functions within a specified timeframe during a disruption.
The policy outlines rigorous requirements around “periodic testing.” For example, financial institutions must test for at least three consecutive business days and during peak “load and volume” time.
Securities and Exchange Commission (SEC) Final Rule: Cybersecurity risk management, strategy, governance and incident disclosure
Issued on July 26, 2023 and effective September 5, 2023, the SEC’s, a U.S. federal regulator, final rule that requires registrants to provide enhanced and standardized disclosures regarding “cybersecurity risk management, strategy, governance and incidents.” This addresses concerns over investor access to timely and consistent information related to cybersecurity. The final rule requires a registrant to file a Form 8-K to disclose a cybersecurity incident determined to be material within four business days from the date on which the registrant determines the incident is considered material.
California Consumer Privacy Act (CCPA)
Effective January 1, 2020, the CCPA is a data privacy law in California, mirroring GDPR, that requires organizations to provide Californian consumers with greater transparency into how their sensitive personal information is handled. It also requires companies disclose cyberattacks that result in the unauthorized access, loss, or theft of personal information.
New York State Department of Financial Services (NYDFS) Part 500
In June 2023, NYDFS, a financial regulatory body, proposed revisions to its Part 500 Cybersecurity Rules. NYDFS requires New York insurance companies, banks and other regulated financial institutions (including agencies and branches of non-US banks licensed in the state of NY) to assess their cybersecurity risk profile and disclose cyberattacks that result in the unauthorized access, loss, or theft of customer data.
The amendment is more prescriptive and stringent than prior versions and includes additional changes for larger firms. The new incident response and business continuity disaster recovery requirements specify annual testing and a risk assessment that must be executed at least annually with the policies and procedures it drives reviewed and approved at least annually as well.
Specifically, covered entities must promptly notify NYDFS regarding security events that occur not only at the covered entity, but also those that occur at an affiliate or third-party service provider. Covered entities also would be required to test their ability to restore systems from backups and maintain protected backups at least once a year. Also, Financial firms must maintain a system that includes an audit trail to detect and respond to cybersecurity events.
Additional cyber security regulations
In the U.S., there are additional data privacy regulations with cybersecurity implications. These include:
- Colorado Privacy Act (CPA) - initial phases in effect as of July 1, 2023
- Connecticut Data Privacy Act (CTDPA) - effective July 1, 2023
- Utah Consumer Privacy Act (UCPA) - will take effect on December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) - effective January 1, 2023
In addition to these general rules and regulations, there may be specific policies that apply to certain industries or sectors. For example, the healthcare industry is subject to the Health Insurance Portability and Accountability Act (HIPAA), which requires healthcare providers to disclose cyberattacks that result in the unauthorized access, loss, or theft of protected health information.
Meeting cyber security regulations
Organizations should carefully review the rules and regulations that apply to their jurisdiction and industry before disclosing a cyberattack. It is important to note that these rules and regulations can be complex, and it is advisable to consult with an attorney to ensure that the organization is in compliance.
Here are some additional tips for organizations on how to disclose a cyberattack:
- Be transparent and timely in how you communicate with customers and employees about the cyberattack and the steps being taken to respond to it. Additionally, you should disclose the attack to the appropriate regulators in a timely manner.
- Provide accurate information about the cyberattack, including the type of attack, the data that was affected, and the steps that customers and employees can take to protect themselves.
- Be responsive to questions from customers, employees, and the media about the cyberattack. Provide regular updates on the status of the investigation and the steps you are taking to respond to the attack.
By following these tips, organizations can help to minimize the impact of a cyberattack on their customers, employees, and reputation.
How can Cutover help?
Cutover provides a single platform to execute your cyber recovery plans, connecting your teams and technology to combine both automated and manual tasks. Using Cutover’s dynamic, automated runbooks you can create executable recovery plans complete with task-level details, team members, and dependencies.
Gain confidence that you can demonstrate that you regularly perform recovery and follow well-defined and comprehensive procedures. Cutover’s immutable audit trail automatically generates a log of who did what and when, displaying all the tasks, owners and timings related to runbooks. Share the audit log with regulatory authorities to prove you meet testing and recovery requirements.