Regulatory compliance: Are you on top of it? Here’s how to make it work for your business.
Businesses are increasingly being fined for failing to achieve cyber security compliance to protect services and data. These terms are set by regulators, which include industry specific, regional authorities, law or agency groups. The total amount of fines published by the Financial Conduct Authority (FCA) in 2022 equates to over £200m.
And that’s not the only cost they face. When organisations experience an incident or breach, they are also financially impacted by recovery costs, loss of earnings from operational downtime (system outages), and reputational damage (potentially long-term).
The problem has various causes. Many organisations are finding it difficult to achieve and retain the required compliance status due to:
• Lack of understanding ,
• Undefined ownership within the organisation, or
• Forever changing landscape (moving goalposts).
So, what does it mean? Let’s look at why we have regulations, why the regulations keep changing and what it means to be compliant.
Why do we have regulations?
Regulations should simplify an organisation’s approach to cyber security, reducing the need for them to make independent decisions on how to adopt cyber security controls.
Legal regulations have been around a long time. They are intended to provide measures to increase the general level of security of network and information systems and carry the force of the law - their application is mandatory.
They exist alongside many industry-specific regulations, which now seem to be increasing. Many industries are falling behind and are still not regulated, meaning organisations are relying on information security standards. However, a common misunderstanding is the difference between regulations and standards.
Standards are not always enough. Organisations believe they are adopting good cyber security practices by following recognised standards and sometimes they are And yet, standards do not always effectively protect them or satisfy the regulators.
Standards aren’t the same as regulations and by following a standard it doesn’t guarantee that an organisation is complying with the relevant laws. In fact, standards typically avoid references to the law as legislation often changes within the lifetime of the standard.
Data breaches are a real threat for all organisations, they exist regardless of their sise, location, or industry. The UK Government’s Cyber Security Breaches Survey 2022 for example reported that 39% of UK businesses identified actual or attempted cyber-attacks in the previous 12 months.
Some industries that don’t have specific regulations have been exposed in the media for experiencing breaches and receiving huge fines and/or significant impact to their services. A primary example is the Marriott hotel group in the hospitality industry, who announced the exposure of sensitive details of half a million of its guests. They were fined £8m by the ICO in 2020 for failing to keep customers’ personal data secure.
The NIS Regulations (2018) in the UK were established to do exactly this. They inflict fines on businesses with poor cyber security, equating to as much as £17 million or 4 per cent of global turnover.
Why does regulation keep changing ?
Simply put, regulations have to adapt because cybercrime doesn’t stay the same. As our reliance on technology grows, the failure/disruption to network and information systems has a bigger impact, and there are more opportunities to compromise systems. Responding to the change in threats is an necessity for a prosperous UK economy. We need to secure critical network and information systems to keep our businesses, citizens and public services protected.
The NIS Regulations are a good example of this. They have recently been reviewed by the UK government in reflection to changes in threats and the use of technology. The recently proposed updates include:
• Bringing managed service providers (MSPs) into scope of the regulations to keep digital supply chains secure.
• Improving cyber incident reporting to regulators.
• Establishing a cost recovery system for enforcing the NIS regulations.
• Giving the government the power to amend the NIS regulations in future to ensure they remain effective.
• Enabling the Information Commissioner to take a more risk-based approach to regulating digital services.
Consumers and businesses need protecting. Industry specific regulations are established based on risk and relevance to the type of data companies store and process. For example, the finance industry manage vast quantities of sensitive information about individual customer and business finances which could cause significant impact if compromised.
There are industries with specific regulations that have fallen victim to cybercrime and have been exposed in the media, specifically in the Telecoms industry. This sparked a need for a change to their existing regulations. As a result of the UK Telecoms Supply Chain review in 2018, the government identified areas of concern that needed addressing. So in 2018 the Telecommunications Security Act (TSA) was imposed to replace the former (CAS-T) regulations.
What does being compliant mean?
To be compliant an organisation must satisfy the requirements detailed in the applicable regulations. Not just as a point in time exercise, but continually maintained to remain in line with the regulations, which do change.
The common issues/challenges organisations face?
• Achieving initial compliance – Understand the approach for implementing the regulatory controls
• Continual monitoring/maintenance -Stay on top of any updates and changes through regular review and audits
• Knowing who is responsible/accountable for compliance within the org? – Clearly defined ownership is critical. Is there dedicated resource i.e. a CISO, or is it shared?
• Understanding the purpose - By knowing the aim it enables an organisation to align their existing cybersecurity posture to the applicable regulations and address any gaps.
Regulation is necessary, but it can be hard work to stay on top of it. All organisations should look at what they can do to maintain compliance, because the penalties for a breach are severe.
Author: James Wood, Practice Director Cybersecurity Consulting , Cyro Cyber
Cyro's decades of combined experience can help understand and implement and test the necessary controls to satisfy the regulators whilst improving the end goal of protecting your data to avoid the potential impact of breach costing in fines and reputational damage.
Drop us a line to discuss your compliance challenges. james@cyro.uk
