Navigating New Cybersecurity Policies and Regulations: What You Need to Know

2022 has brought in tighter cybersecurity restrictions and privacy regulations around the world. With the escalation of cyber threats due to the accelerated digital transformation and the Russian invasion of Ukraine, governments globally have made decisions to step up their cybersecurity defense and introduce new measures to protect businesses or national security. 

Let’s take a look at recent cybersecurity regulations around the world and see how they might affect your organization and your customers.

Better Cybercrime Monitoring

Almost one year after the Biden administration announced the Executive Order on Improving the Nation’s Cybersecurity, the U.S. President has signed the Better Cybercrime Metrics Act, aimed at improving the tracking and the prosecution of cybercrime.  

The law will enable building of a comprehensive and consistent system to collect and categorize data on cyber incidents, as a way to combat rising cyber threats. At present, some estimates claim that the Federal Bureau of Investigation (FBI) only collects about one in 90 of all cybercrime incidents in its Internet Crime Complaint Center (IC3) database.

There are many supporters of the legislation, as many organizations may benefit from the Act. Better incident categorization will help standardize the types of cyber threats organizations and businesses face. At the same time, more transparency and reporting will help cyber professionals and government prioritize the most serious threats and recommend protection against them.

NIS2 Regulations

The European Council approved the Network and Information Security 2 (NIS2) Directive in December 2021, to streamline the cybersecurity standards and reporting rules across the  European Union (EU). In May 2022, NIS2 was revised to set the baseline for risk management and reporting for businesses across all sectors, including energy, transport, health, and digital infrastructure.

The revision will come into force in 2024 and introduce fines, enforcement, and incident reporting requirements for essential and important entities. Non-compliance will be punished by fines of up to €10 million or 2% of global annual revenue. At the same time, the EU allocated a budget of €2 billion to support new cybersecurity initiatives for strengthening cyber resilience. One of the major requirements in the directive is that entities should submit an initial notification within 24 hours of any significant cyber threat to the relevant competent authority.    

Managing the Risk of Supply Chain Attacks

The famous supply chain attack on SolarWinds in 2020 was a major incident of unprecedented scale for the cybersecurity community. A supply chain attack is like a digital Trojan Horse: the criminals insert malicious code into a trusted third-party software, infecting all of the victimized company’s customers. In case of the SolarWinds attack, the criminals stayed inside the system for 18 months before they were eventually detected. Close to 18,000  private and public sector organizations and businesses were affected.

The rise in the number of supply chain attacks and state-sponsored criminal gangs has triggered revision of risk management policies in the United States.

In May 2022, the U.S. National Institute of Standards and Technology (NIST) released a revised publication of its Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. It offers guidance for mitigating the supply chain threats that can be adapted to the unique size, resources, and circumstances of each enterprise.

NIST proposes foundational, sustaining, and enhancing practices for managing risks. These include the implementation of a robust incident management program, collaboration with a threat-informed security program, and automation of monitoring and risk-scoring processes.

|Read how PT. ALTO Network Provides World-Class Payment Transaction Security to comply with Visa security monitoring regulations.

Guidance for Smaller Businesses

In Canada, the CIO Strategy Council published Canada’s new national cyber security standards Standard CAN/CIOSC 104 for small and medium organizations (SMO) that typically have less than 500 employees. The standard includes 55 recommendations to SMOs presented in two tiers. The first tier has 22 baseline recommendations while the second offers 33 measures that provide an additional layer of protection for higher risk businesses that depend on their online presence.

The standard is designed to help smaller businesses across Canada secure their systems and data from rising cyber threats. In addition to the guidelines on cyber attack prevention and response, CIOSC 104 also includes an incident response plan template and a cybersecurity risk assessment questionnaire.

Securing Critical National Infrastructure

In January 2022, the Cyberspace Administration of China issued the New Measures for Cybersecurity Review. The regulations state that Critical Information Infrastructure Operators (CIIOs) and network platform operators should apply for cybersecurity review if national security will or may be affected. The New Measures also require online platforms with personal information of more than one million users to undergo a cybersecurity review before IPOs in foreign countries.

The regulations consider such national risks as illegal control over key information infrastructure and key data being stolen by other governments.  The New Measures also prohibit algorithm technology companies from generating fake news or disseminating information from unauthorized sources.

The tighter regulations require more vigilance from foreign companies with online platforms and apps in China, especially when collecting and using personal data.

As governments globally strengthen cybersecurity regulations, there are also new opportunities for organizations to strengthen their cyber defense and in some cases, get additional funding for doing so. While it’s getting harder to comply with all the requirements and reporting, there are many steps that businesses can take to significantly lower their risk of cyber attacks. Taking actions such as adding additional layers of cybersecurity protection, improving transaction monitoring and data analysis, and adding the ability to detect and block crime in real-time, can all significantly lower risks of cyber threats and revenue losses.