As more government agencies get involved with creating cybersecurity regulations, security professionals will need to monitor new laws and understand which apply to their industry and whether some overlap or conflict. Increased enforcement from different agencies can mean significant consequences even if breaches are avoided.
As the new administration adjusts regulations, chief information security officers (CISOs) will need to add governmental cyber regulations to their daily watchlists. Consider the following key areas that impact enterprise security in multiple ways.
Federal Cybersecurity Regulations
The Cybersecurity Information Sharing Act of 2015 provides a framework for the federal government, some state governments and private industry to securely share cyberthreat information. As part of that action, the Security and Exchange Commission (SEC) established guidelines for regulated firms to comply with specific regulations. For example, the SEC recently settled a case with a company that suffered a data breach that compromised the personally identifiable information (PII) of nearly 100,000 people, showing its commitment to increasing security — particularly in the financial sector.
Government Fraud and Waste
Banking and finance regulations have been the focus of attention in the years since the Great Recession, and offshore tax evasion has been high on the Department of Justice’s list of targets. In 2015, the DOJ, under its Swiss Bank Program, entered agreements with multiple banks to encourage cooperation with regard to financial transactions.
Additionally, the Organization for Economic Cooperation and Development (OECD) created a global standard for financial institutions to exchange account information automatically in an effort to restrict offshore tax evasion. These efforts need to be understood and considered as companies conduct business around the globe. CISOs must institute measures to alert them when suspicious activities threaten their standard business practices.
The Organizational Sentencing Guidelines of 1991 set the stage for federal oversight of corporate activities. In 2015, the DOJ hired a compliance counsel to guide prosecutors with regard to specific charges that might be brought against companies.
Since that time, the DOJ has demonstrated a commitment to pursuing a variety of charges. New guidelines are likely to bring about changes in how the agency monitors compliance. CISOs need to be aware of changes and update their compliance practices as needed.
The internationally connected internet narrows or eliminates separations between regulators in countries around the globe. This connectedness increases the complexity of interactions in companies, some of which may not even know the specific countries where they are doing business. Privacy regulations vary widely and change frequently as governments strive to protect their own and their citizens’ interests. CISOs need to be vigilant about changes in regulations on a global basis.
Focus on Money Laundering
Global trade involves the movement of money across international borders, and some governments are concerned about funds being routed to terrorist organizations. Closely associated with those concerns is the prospect of money laundering that hides the sources and destinations of funds. CISOs must monitor the routes of transactions and assure they are within federal and state guidelines.
Trade Sanctions as Foreign Policy
Trade sanctions have long been used to encourage behavioral changes in foreign governments. The U.S. has increased its use of sanctions for a variety of purposes against countries in recent years. Often, those sanctions impose criminal or civil penalties against U.S. companies that violate them. CISOs need to understand the specifics of international sanctions and monitor the sources and destinations of business transactions that take place across borders to be in full compliance with laws.
Government regulations are in flux, and CISOs are responsible for the security and compliance of their companies’ transactions and business dealings. They must maintain a current view of government rules and understand how they apply to and affect the data that flows in and out of the organization, even if they are not responsible for the contents of those transactions.
Listen to the podcast: Lessons from the NIST Cybersecurity Framework