February 24, 2017 By Scott Koegler 3 min read

As more government agencies get involved with creating cybersecurity regulations, security professionals will need to monitor new laws and understand which apply to their industry and whether some overlap or conflict. Increased enforcement from different agencies can mean significant consequences even if breaches are avoided.

As the new administration adjusts regulations, chief information security officers (CISOs) will need to add governmental cyber regulations to their daily watchlists. Consider the following key areas that impact enterprise security in multiple ways.

Federal Cybersecurity Regulations

The Cybersecurity Information Sharing Act of 2015 provides a framework for the federal government, some state governments and private industry to securely share cyberthreat information. As part of that action, the Security and Exchange Commission (SEC) established guidelines for regulated firms to comply with specific regulations. For example, the SEC recently settled a case with a company that suffered a data breach that compromised the personally identifiable information (PII) of nearly 100,000 people, showing its commitment to increasing security — particularly in the financial sector.

Government Fraud and Waste

Banking and finance regulations have been the focus of attention in the years since the Great Recession, and offshore tax evasion has been high on the Department of Justice’s list of targets. In 2015, the DOJ, under its Swiss Bank Program, entered agreements with multiple banks to encourage cooperation with regard to financial transactions.

Additionally, the Organization for Economic Cooperation and Development (OECD) created a global standard for financial institutions to exchange account information automatically in an effort to restrict offshore tax evasion. These efforts need to be understood and considered as companies conduct business around the globe. CISOs must institute measures to alert them when suspicious activities threaten their standard business practices.

Corporate Compliance

The Organizational Sentencing Guidelines of 1991 set the stage for federal oversight of corporate activities. In 2015, the DOJ hired a compliance counsel to guide prosecutors with regard to specific charges that might be brought against companies.

Since that time, the DOJ has demonstrated a commitment to pursuing a variety of charges. New guidelines are likely to bring about changes in how the agency monitors compliance. CISOs need to be aware of changes and update their compliance practices as needed.

Global Cooperation

The internationally connected internet narrows or eliminates separations between regulators in countries around the globe. This connectedness increases the complexity of interactions in companies, some of which may not even know the specific countries where they are doing business. Privacy regulations vary widely and change frequently as governments strive to protect their own and their citizens’ interests. CISOs need to be vigilant about changes in regulations on a global basis.

Focus on Money Laundering

Global trade involves the movement of money across international borders, and some governments are concerned about funds being routed to terrorist organizations. Closely associated with those concerns is the prospect of money laundering that hides the sources and destinations of funds. CISOs must monitor the routes of transactions and assure they are within federal and state guidelines.

Trade Sanctions as Foreign Policy

Trade sanctions have long been used to encourage behavioral changes in foreign governments. The U.S. has increased its use of sanctions for a variety of purposes against countries in recent years. Often, those sanctions impose criminal or civil penalties against U.S. companies that violate them. CISOs need to understand the specifics of international sanctions and monitor the sources and destinations of business transactions that take place across borders to be in full compliance with laws.

Government regulations are in flux, and CISOs are responsible for the security and compliance of their companies’ transactions and business dealings. They must maintain a current view of government rules and understand how they apply to and affect the data that flows in and out of the organization, even if they are not responsible for the contents of those transactions.

Listen to the podcast: Lessons from the NIST Cybersecurity Framework

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today