Les choses évoluent dans le monde de la cybersécurité et font bouger les lignes sur le plan de la conformité. Dans tous les secteurs d’activité, les exigences auxquelles les entreprises doivent se plier changent. Même s’il peut être compliqué de suivre l’évolution du cadre de conformité réglementaire de la cybersécurité, le sujet est sérieux : il en va de la protection de votre entreprise.
Dans ce guide, nous parcourrons les règles de cybersécurité que les entreprises doivent respecter pour être en conformité, secteur par secteur :
- Financial Services
- State-Specific Compliance
The healthcare industry is regulated by the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI), and personally identifiable information (PII).
HIPAA compliance requires businesses to take measures to protect the confidentiality, integrity, and availability of PHI. This includes ensuring that only authorized individuals have access to PHI, using encryption to protect PHI in transit, and having a disaster recovery plan in place in case of a data breach.
PII is any information that can be used to identify an individual. It's important to protect this data as well. Businesses in the healthcare industry must take measures to protect PII from unauthorized access, use, disclosure, or destruction.
The retail industry is mainly regulated by the Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR).
PCI DSS requires businesses to take measures to protect customer credit card information from unauthorized access and disclosure. PCI DSS compliance includes implementing physical, administrative, and technical safeguards, as well as conducting regular risk assessments.
GDPR compliance requires businesses to take measures to protect the personal data of individuals in the European Union. This includes ensuring that personal data is collected and processed lawfully, transparently, and fairly, and that individuals have the right to access their personal data and request its deletion.
Businesses in the financial services industry are subject to a variety of cybersecurity compliance regulations, including the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and the Sarbanes-Oxley Act (SOX).
SOX was specially created to protect investors from the possibility of fraudulent accounting practices by publicly traded companies. Cybersecurity compliance is a critical part of SOX and applies to any company that offers products or services in interstate commerce, as well as any company with securities listed on national exchanges.
Law firms are a target for cyberattacks because they deal with a lot of sensitive information. They are subject to follow all types of cybersecurity compliance depending on the industry a law firm specializes in. The regulations also vary from state to state.
Some of the most common cybersecurity compliance regulations law firms have to comply with include the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act (SOX).
Federal agencies must comply with the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. In Europe, federal agencies must also comply with the EU cybersecurity act and GDPR.
FISMA requires agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.
The NIST is a non-regulatory agency and provides the NIST cybersecurity framework, a voluntary guidance that helps organizations better manage and reduce cybersecurity risks. Organizations can use the framework to assess their cybersecurity risks, identify cybersecurity controls to mitigate those risks and track their progress over time.
The EU cybersecurity act was created to improve the cybersecurity of networks and information systems in the European Union. The act requires member states to designate a national cybersecurity authority, create a cybersecurity certification scheme, and establish a European Cybersecurity Agency.
Businesses in the energy and utilities industry are subject to the Federal Energy Regulatory Commission (FERC) cybersecurity regulations.
The FERC cybersecurity regulations are designed to protect the nation's electric grid from cybersecurity threats. The regulations require electric utilities to develop and implement a cybersecurity program that includes risk assessments, security controls, and incident response plans.
Insurance companies are also subject to a range of cybersecurity compliance regulations, depending on the industry an insurance company may serve. Typical cybersecurity regulations for insurance companies include the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS).
As vehicles become more and more connected, cybersecurity compliance regulations are being developed to protect against cybersecurity threats. The National Highway Traffic Safety Administration (NHTSA) has issued guidance on cybersecurity for the automotive industry.
The NHTSA guidance is voluntary, but it provides recommendations for cybersecurity best practices for the automotive industry and mentions ways to protect vehicles from hacking.
Businesses in the manufacturing industry are subject to the International Organization for Standardization's (ISO) cybersecurity standard. And if contractors provide services to the Department of Defense (DoD), they must comply with the cybersecurity requirements of the Defense Federal Acquisition Regulation Supplement (DFARS).
The ISO cybersecurity standard is a voluntary, international standard that provides guidance on cybersecurity risks and controls. The DFARS cybersecurity requirements are mandatory. The Cybersecurity Maturity Model Certification (CMMC) was created by the DoD to help assess cybersecurity compliance. It will replace the DFARS to become the standard for protecting controlled unclassified information (CUI).
The Connectivity Standards Alliance has recently released the Matter 1.0 standard which defines a new way for IoT devices to communicate and interact with each other. Matter uses Public Key Infrastructure to authenticate devices and provides encrypted message transmission for data security. This will ensure users can securely connect their IoT devices to the cloud and other connected systems.
Compliance in any industry will also vary according to state and local regulations, including internationally.
For example, in 2018, California passed the California Consumer Privacy Act (CCPA). The CCPA is a state law that regulates the way businesses handle the personal data of California residents, regardless of where the business is located. The CCPA requires businesses to disclose what personal data they collect, why they collect it, and with whom they share it. Businesses must also provide a way for consumers to opt out of the sale of their personal data.
In 2017, New York passed the NYDFS Cybersecurity Regulation. The regulation applies to any business that is subject to the jurisdiction of the NYDFS and that possesses, stores, or uses non-public information. It requires businesses to develop a cybersecurity program and outlines what businesses must include.
The electronic Identification, Authentication, and Trust Services (eIDAS) regulation is a European Union regulation that was created in 2014. The regulation establishes a legal framework for electronic signatures and other electronic identification methods, such as e-IDs. The eIDAS regulation applies to businesses that provide electronic signatures or other electronic identification methods.
Recently, the UK Cybersecurity Council was finally created from the UK's National Cyber Security Strategy (NCSS) 2016-2021 document. UK businesses need to comply with the cybersecurity compliance regulations set by the council. The council shapes and informs national policies and aims to help UK businesses with cybersecurity compliance by providing resources and guidance.
Make Cybersecurity Compliance Easy with GlobalSign
Keeping your business compliant with seemingly endless regulations can be daunting, but it doesn't have to be. At GlobalSign, we can help your business to secure your data and comply with your industry's regulations. Contact our experienced team today to learn more about our cybersecurity compliance solutions.