Cyber threats are becoming increasingly sophisticated, and secure entities are becoming more vulnerable. According to Statista, cybercrime is expected to skyrocket in the coming years.
Some of the top cyber threats identified by CISOs include ransomware, identity-based attacks, Denial of Service (DoS), cloud attacks, and more.
To this end, regulators are not resting but are compelled to tighten their cybersecurity requirements to manage and mitigate cyber threats.
This article will examine fresh cybersecurity regulations coming into force in 2024 and some existing rules being updated in the US and the EU.
Mainly, we’ll focus on the implications for small business leaders and how you can adapt to the ongoing changes to be more resilient.
Adapting to Cybersecurity Regulatory Changes as a Small Business
As a small business, there is no adapting to regulatory changes without a proactive and structured approach. Before we examine the specific modifications in cybersecurity regulations, we’ll discuss how you can use these changes to enhance your cybersecurity posture.
- Stay informed and educated: At this time, so many changes are taking place in cybersecurity compliance. Monitoring industry updates will help you stay on top of obligations and best practices.
- Conduct regular training: Invest in regular training for yourself and your staff to educate them on the latest regulatory requirements and how your company will be implementing them.
- Develop policies and procedures: Your approach to cybersecurity should not be haphazard. You must develop clear policies that align with regulatory requirements. Of course, these policies should be periodically reviewed.
- Maintain documentation: A key emphasis in emerging cybersecurity regulations is the importance of documentation and incident reporting. Always keep detailed records of your procedures, risk assessments, incidents, responses, etc.
- Engage with experts and partners: You need access to the right expertise to implement robust and compliant cybersecurity controls. Collaborate with other small businesses, industry groups, and regulatory bodies to share knowledge.
- Gain leadership buy-in: Your business can’t successfully adapt to cybersecurity regulatory changes unless the leadership is on board. You need to be sure that all the leaders are headed in the same direction and understand the role of compliance.
- Seek legal and regulatory advice: Cybersecurity regulations are not suggestions or guidance on best practices. They are law, and you need legal experts to clarify how to meet all your obligations.
Top Cybersecurity Regulations To Watch
1. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
CIRCIA is a US federal law that enhances reporting and response to cyber incidents affecting critical infrastructure. It mandates organizations in affected sectors to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
These critical infrastructure sectors include financial services, healthcare, food and agriculture, information technology, communications, etc.
CIRCIA also mandates CISA to develop regulations for affected entities, and the latter has kickstarted the process of finalizing rules.
So, in March 2024, CISA published a proposal for new reporting requirements for organizations operating in critical infrastructure sectors. If approved, the new rules should come into effect later in the year.
Small businesses are typically excluded from the definition of covered entities affected by CIRCIA. However, leaders of SMBs need to pay attention to the regulation because of the possibility of direct or indirect impact through supply chain relationships or other kinds of partnerships with critical infrastructure entities.
2. Network and Information Security Directive 2.0 (NIS 2)
The first Network and Information Security Directive was introduced in 2016 as a legislative framework to enforce the adoption of common cybersecurity standards by member states across the EU. Over time, the original directive was criticized for being too vague, especially in defining what sectors should be considered ‘essential’.
Against this backdrop, NIS 2 was introduced to improve the former law. It is more detailed regarding purpose, scope, requirements, and intentions.
Notably, it prioritizes an “all hazards” approach and covers the following areas of cybersecurity: risk management, cyber hygiene, incident handling, access control, multi-factor authentication, and so on.
As it stands, EU member states must adopt and publish NIS 2-compliant local regulatory measures by mid-October 2024.
While most organizations affected by NIS 2 are medium and large entities, some small businesses might not be exempted. The rules are applied based on number of employees, turnover threshold, and whether the EU deems the entity’s services essential to the EU economy.
3. NIST Cyber Security Framework 2.0 (NIST 2.0)
The NIST Cybersecurity Framework is not a legal regulation like others on this list. It is a voluntary framework designed to help organizations manage and mitigate cybersecurity risks.
However, its importance and scale of influence extend far beyond its voluntary nature, even to the extent of influencing the development of various national and state cybersecurity regulations and standards.
The Framework has come a long way, initially published in 2014 and updated in 2018. Both versions (1 and 1.1) focused on protecting critical infrastructure, and that is where the new NIST Cyber Security Framework 2.0 is different.
NIST 2.0 expands the scope of the guidance to organizations of all sizes and industries.
Some other changes that version 2 introduces include:
- Emphasis on risk-based continuous improvement.
- Novel threats in areas such as supply chain security, third-party risks, cloud security, artificial intelligence, IoT, etc.
- Recognizing the role of business leadership in cybersecurity by introducing the ‘Govern’ function to the original five functions: Identify, Protect, Detect, Respond, and Recover.
4. Cyber Resilience Act (CRA)
In March 2024, the European Parliament approved a new regulation known as the Cyber Resilience Act. The Act aims to bolster the cybersecurity of ‘products with digital elements’ (PDE).
This refers to connected IoT devices and similar devices, with cybersecurity requirements applying throughout the product lifecycle, from design and development to production and post-market activities. It addresses both hardware and software vulnerabilities in connected products.
According to the legislation, manufacturers will assume a duty of care obligation throughout the product lifecycle. Additionally, the ‘CE’ mark will indicate that product manufacturers comply with the new standards.
Ultimately, the Cyber Resilience Act will help consumers and businesses determine which products are cyber-secure.
The next step for the Act is its approval by the European Council, after which it will come into force. Even so, only some of the requirements will apply from day one. Manufacturers will have three years to comply with all the rules, although some will have applied earlier.
5. Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act is an EU cybersecurity regulation explicitly aimed at the financial sector. It entered into force in mid-January 2023.
In short, the coming months are critical for financial institutions such as banks, insurance companies, investment firms, and so on as they need to strengthen their defenses and comply with the requirements by the beginning of next year.
DORA harmonizes critical issues related to the IT security of financial entities and ensures that the financial sector is resilient against operational disruption, primarily through cyber-related incidents.
Some of the issues covered by DORA include risk management, third-party risks, testing, incident reporting, information reporting, cyber threat intelligence, and so on.
Small businesses to whom DORA does not directly apply but who are third-party providers to a financial entity might still be forced to comply with DORA requirements and meet specific obligations.
Stay Vigilant and Adaptive
Organizations must stay vigilant and adaptive to the changes taking place in the cybersecurity industry. The increased scrutiny from regulators and rising expectations from consumers and investors mean that robust cybersecurity measures are more critical than ever.
Particularly, companies are now required to not only protect their data but also to provide transparent reporting on their cybersecurity practices and incidents. This means there is little chance to hide.
Featured Image by Gerd Altmann from Pixabay
