What global cyber and cybersecurity regulations are there?

In 2019, cybersecurity attacks in the US cost the public sector over $7.5 billion. But in the same year, not a single bank in the US reported a ransomware incident. This signifies a positive change in the financial sector and tells us that regulations could be working.  Whereas in Europe, cyber incidents seem to be exponentially increasing year after year.  

Without a unified global front on cybersecurity, institutions are left to regulate their own jurisdictions. This could create a space for cybercriminals to benefit from the gaps in regulations, and gamble on exposed companies.

What are cybercrimes?

Cybercrime refers to any illegal behaviour that involves a computer, mobile device or internet network.  

Here are some examples of cybercrime: 

• Piracy (illegal download and distribution of materials online)
• Identity theft (criminals obtain your personal details to access accounts like bank accounts and defraud your company)
• Extortion (commonly known as a ransomware attack, criminals access your system and then blackmail your business or publish their findings) 

The financial sector is particularly vulnerable to cybercrime attacks since banks and institutions hold a vast amount of personal data. Plus, without adequate operational resilience measures, a cybersecurity threat could cause chaos for financial institutions. Therefore, cyber regulations are paramount so that companies in this sector follow best practices and reduce their risk of compromise. 

Cybersecurity regulations in North America

There is one main federal cybersecurity regulation in the US, with some individual states also creating their own laws. 

Gramm-Leach Bliley Act (1999)

This act is the premier cybersecurity measure for financial institutions in the US. It states that banks, credit unions and other regulated institutions must create, implement and sustain thorough data security throughout operations.  

The Gramm-Leach-Bliley Act is enforced by the Federal Trade Commission, and on a basic level, compels institutions to let customers know about the data they are collecting and allows them to opt out.  

Moreover, compliance teams must produce their own programs to demonstrate physical, administrative and technical data safety. Regulated entities should: 

• Declare the nature of their activities
• Demonstrate the scope of their activities
• Outline the potential risk of their activities to customers

California Consumer Privacy Act and Colorado Privacy Act

Data privacy is a key aspect of protection in cybersecurity. States like California and Colorado have taken matters into their own hands by passing their own data protection policies for businesses in their jurisdictions.  

The policies are somewhat similar, focusing on the work that data controllers and data processors can do, in order to keep customers safe. The primary aim of these regulations is to give customers the right to opt out of data collection and prevent their information from being passed onto third parties. 

Cybersecurity regulations in Europe

The EU is widely regarded as the frontrunner in regulatory intelligence.

Cybersecurity Resilience Act

This act came into force in 2019, but regulated institutions had until 2021 to implement their plans for compliance. This means it’s very new compared to some other regulations and is managed by ENISA, the EU agency responsible for cybersecurity.

The Cyber Resilience Act introduced a blanket framework, meaning that new ICT products and services would have to become ENISA-certified. Regulated institutions must provide a designated level of assurance for the security of their product.  

This has led to two major benefits: 

1. There is more transparency with regard to security properties and cyber risk for digital products in the marketplace.
2. Consumers are better equipped to compare different options and make more informed decisions. 

GDPR

GDPR stands for General Data Protection Regulation. It is widely regarded as the premier legislation for privacy and security around the globe, having come into effect in 2018. More recently, Brazil has created its own version of the GDPR, which is known as the Lei Gerai de Protecao de Dados Pessoais.  

The scope of GDPR’s cybersecurity framework is vast, but here is a quick summary: 

• Companies may only collect personal data if it has an ‘integrity-friendly’ purpose, it cannot be held ‘just in case.’
• Individuals must consent to their data being collected and can withdraw consent at any time or request the personal data that companies are holding on them.
• Any data breach must be reported within 72 hours.
• Businesses are responsible for the data processing of their suppliers.

Cybersecurity regulations in Asia

Across Asia, various countries have produced their own similar versions of GDPR. In Japan, this is the Personal Information Protection Commission and China published its Personal Information Security Specifications. The Monetary Authority of Singapore presides over its Personal Data Protection Commission. 

Most of these legislations apply to companies who collect and process data, to ensure that they protect the integrity of this data and the anonymity of their customers. In case of a cyber attack, it is hoped that regulated entities are well-equipped to continue to operate without putting their data at risk.

Staying on top of worldwide cyber security regulations

With so many different policies around the world, cybersecurity compliance can be hard for multinational companies and smaller firms. Horizon scanning technology makes it easier.  

CUBE’s cybersecurity solutions allow organisations to monitor, track and understand the rapidly emerging landscape for cyber threats and regulations. With visibility of all the relevant regulations, employees can ensure they meet the requirements by creating robust policies and controls- minimising the risk.  Demo CUBE’s RegAssure platform to take control of compliance.

Keep ahead of emerging regulations and guidance by speaking to CUBE.