More and more businesses are taking their cybersecurity seriously. Part of this is a response to the startling rise in cybercrime over the past few years, particularly phishing and ransomware attacks. But there is a legal aspect to this shifting cybersecurity mindset too: cybersecurity compliance.
Cybersecurity compliance looks different for every company, but in general, businesses are expected to comply with certain industry-specific regulations and standards. A failure to comply with these standards raises your company’s risk of a breach and could result in hefty fines. As an MSP and cybersecurity company, Digital Agent works with companies across a wide range of industries to ensure that their cybersecurity practices are up to these standards.
Why is Compliance Important?
Cybersecurity regulations and standards are based on the best practices at the time the standard or law is put into place. Given how quickly the cyber threat landscape can change, it is best to consider these standards the bare minimum to keep your company and your clients safe. If you are breached because you failed to follow proper cybersecurity protocols, you not only damage your business and reputation; you may face legal charges and fines.
Fines vary depending on the scope of the compliance failure and the laws that were broken. OCR is notorious for charging hefty fines for HIPAA violations. As of May 31, 2022, OCR has settled or imposed a civil monetary penalty in 110 cases, totaling over 131 million dollars in fines. FINRA has leveled hefty fines against financial institutions for failing to comply with its cybersecurity guidelines; in 2016, FINRA fined 12 different firms a total of 14.4 million dollars for failing to properly store their electronic records.
Whether it results in a breach or fines, failing to maintain basic cybersecurity practices can ruin your company’s reputation and finances. Working with a cybersecurity company can help you not only meet compliance requirements, but also stay a step ahead of hackers on the front lines of cyber warfare. While strategies vary from company to company, most will start with a standardized Cybersecurity Framework (CSF) like NIST.
The NIST Framework
NIST, the National Institute of Standards and Technology, is a non-regulatory government agency that develops cybersecurity standards, guidelines, and best practices. The NIST cybersecurity framework is a set of guidelines rather than a legally enforced standard, but many U.S. cybersecurity regulations build off of the NIST framework. The NIST framework breaks risk management down into five core areas, “The Core Framework”:
- Identify
- Protect
- Detect
- Respond
- Recover
Each of these functions is broken down into categories and subcategories. NIST instructs entities to use this framework to conduct their own risk assessments and determine what controls are appropriate for their organization. Thus, “NIST compliance” looks different for every organization, and it is important to use a framework like NIST to adhere to the specific laws and regulations of your industry.
Other frameworks that are commonly used include ISO 27000 series (ISO 27799 pertains specifically to healthcare), COBIT (used by financial institutions to achieve SOX compliance), CIS controls, HITRUST and COSO. Some of these are risk based, and others are more compliance focused.
Industry-Specific Guidelines
The requirements for data protection and cybersecurity controls vary widely by industry. For instance, healthcare organizations, financial institutions, and government contractors are held to higher standards than retailers or restaurants because they handle more sensitive information. Below is a non-comprehensive list of the common federal regulations that require cybersecurity and privacy compliance. Many states have additional laws and regulations.
- Payment Card Industry Data Security Standard (PCI-DSS): applies to all organizations that store, process, and/or transmit cardholder data
- Federal Trade Commission (FTC) Act §5: applies to almost all U.S. organizations and penalizes “unfair or deceptive” claims of adequate cybersecurity and privacy practices
- Health Insurance Portability and Accountability Act (HIPAA): applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates
- Defense Federal Acquisition Regulation (DFAR): applies to DoD contractors and mandates compliance with NIST standards
- Sarbanes-Oxley (SOX): applies to publicly traded companies and carries criminal penalties
- Consumer Privacy Protection Act of 2017: applies to certain organizations handling personally identifiable information
- SEC Regulation S-P (enforced by SEC or FINRA): applies to financial institutions
Documentation and Implementation
An important component of cybersecurity compliance is creating, maintaining, and adhering to a detailed set of policies and procedures. You can use a framework like NIST to create these policies and procedures while adding in any additional controls mandated by HIPAA, FINRA, the SEC, or other regulatory bodies. This documentation should be accessible and your staff should be regularly trained on relevant procedures.
For instance, if your medical practice has conducted an audit and found that your current identity authentication protocols were not HIPAA compliant, you may decide to implement multi-factor authentication. You will need to notify staff of this change and train them on how to properly use a multi-factor authentication app or token. But informing staff on a single occasion isn’t enough. It is important to schedule regular training on your cybersecurity and privacy practices and to have thorough documentation for all policies and procedures in a place that all applicable staff can access.
Learn More About Cybersecurity Compliance
Cybersecurity compliance can seem overwhelming. It requires a significant amount of work to create and maintain compliant practices and documentation. Your internal IT department or third-party IT provider can help you become compliant, but not all IT providers are well-versed in the specific regulations governing your location and industry. You can learn more about cybersecurity compliance here and on the NIST website.
Kate Lewis
Technical Writer & Content Strategist
Digital Agent
Follow Us:
