Estimated reading time: 9 minutes
Cybersecurity regulations: an overview
Cybersecurity regulations refer to the protection measures taken to guard the integrity and privacy of your digital data
Since Web1 (the beginning of the internet), various cybersecurity regulations have been introduced around the globe. Here’s a round up of the most prominent or established regulatory compliance practices across the UK, EU and US.
Cybersecurity regulations: categories
In reality, the list of cybersecurity regulations are almost endless. To compare general requirements across the UK, EU and US, we’ve listed some well-known features of cyber regulations.
Data protection and storage
Data protection is an important aspect of cybersecurity regulations. Not only is this integral at a government level (to ward off national security threats), but it’s crucial as you move down to a small business and personal level, too.
Many businesses collect incredibly personal information from their customers, including the likes of an email address and demographic data. If this information falls into the wrong hands, the consequences could be as severe as identity theft.
UK GDPR (also applies in the EU)
The UK’s General Data Protection Regulation (GDPR) ensures that businesses gain consent from their prospects before customers are added to mailing lists. It aims to prevent spam and the selling of data to third parties.
The EU’s Markets in Financial Instruments Directive (MIFID) specifies the type of information that investment firms must provide in order to operate legally. This shifts the focus of data protection towards transparency, rather than anonymity.
US FINRA 4511
The FINRA 4511 rule refers to record-keeping requirements within cybersecurity regulations. The key provisions of this rule aim to preserve and protect records in a standardized way to protect against loss or file corruption.
Obvious differences between the three regulations can be found within their list of sanctions. For example, typical punishments for non-compliance with GDPR include fines of up to €10 million.
Alternatively, penalties for breaking FINRA code include suspension or total dismissal from working within a regulated financial organisation.
Anti-hacking and anti-phishing
Hacking refers to the compromising of a digital system or product through unauthorised access. It is a key component of cybersecurity regulations. Similarly, phishing is the act of sending fraudulent communications that appear legitimate in order to gain access to sensitive information.
Of course, both of these activities have been criminalised across the globe. In order to better protect financial institutions, the UK, EU and US have formed specific anti-hacking and anti-phishing regulatory guidelines.
UK Computer Misuse Act 1990
The Computer Misuse Act (CMA) was introduced to criminalise malicious attacks on digital machinery. It sets out penalties for crimes ranging from ransoming data, the creation of malware and the unauthorised tampering of devices.
EU Directive on Attacks Against Information Systems 2013
This EU directive was introduced by Europol in order to mirror the long-standing criminalisation standards in the US. It specifies protection against organised attacks which threaten the integrity of entire systems.
US Computer Fraud and Abuse Act 1986
In the US, the Computer Fraud and Abuse Act (CFAA) specifically protects devices belonging to financial services institutions. As such, this regulation is more focused on national security interests, as opposed to the protection of the public sector.
There are a number of differences between cybersecurity regulations depending on your location. The EU specifies up to 2% of revenue fine for breaking any of their regulations. Here are some of the UK and US differences:
|Crime||UK CMA||US CFAA|
|Unauthorised tampering||6 months imprisonment and up to £5,000 fine||Up to 10 years imprisonment|
|Intention to commit cybercrime||5 years imprisonment and unlimited fine||Up to 5 years imprisonment|
|Modifying or ransoming data||5 years imprisonment and unlimited fine||Up to 5 years imprisonment|
|Aiding the misuse of computer equipment||10 years imprisonment and unlimited fine||Up to 5 years imprisonment|
Identity theft refers to the wrongful adoption of someone else’s official documentation in exchange for economic gain.
UK, EU and US against identity theft
There is a general consensus and guideline around avoiding identity theft for victims across the globe. These are mainly based around information security, and involve the likes of:
- Using strong passwords
- Using a VPN
- Not accessing public WIFI services
However, there is a lack of clear legislation in the UK against data breach crimes, identity theft and fraud. Legal experts claim that penalties for identity theft crime can lead to up to 7 years imprisonment.
Similarly in the EU, there is no specific committee that has been commissioned to combat this cyber threat. The European Network and Security Agency (ENISA) and the EU Cybersecurity Act advises the public to secure your passwords using cloud-based technology and restrict sharing of personal data to different websites or social media.
The US does have homeland security and state-wide cybersecurity measures to protect the public from identity theft. However, the Identity Theft and Assumption Deterrence Act was passed in 1998 and carries a maximum penalty of 15 years imprisonment.
Social media offences
Special mention goes out to social media offences, such as:
- Online threats
- Revenge porn
This is a newer category of data security since social media is still very new. But it possesses a significant level of cyber risk.
Research is constantly being published about the mental health effects of social media, and there is much debate around how involved governments should be, and the infringement of human rights, such as freedom of speech. This category is one to watch over the next decade or so, with cybersecurity regulations and others likely to come to the fore.
Who must comply with cybersecurity regulations?
The majority of cybersecurity regulations apply to the general public. However, some security measures specifically refer to financial institutions for compliance. For example, the EU’s MIFID Directive is specifically aligned to cybersecurity standards in the financial services industry.
Fortunately, compliance doesn’t have to feel like a wild goose chase of risk assessment after risk assessment. Always have access to the latest cybersecurity requirements in your region by discovering CUBE’s products. Never miss a new regulation again.