Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
3 Things to Know as Cybersecurity Compliance Gets More Intense in 2024
By Cam Roberson is Vice President at Beachhead Solutions
The
cybersecurity compliance pressures felt by businesses across industries will
intensify heading into 2024, as new laws and regulatory initiatives will require
even more attention and sophisticated security capabilities. The day is fast approaching
when any organization doing business in the U.S. will see its cybersecurity
practices fall under regulatory oversight.
While
the process of adapting to this new normal will require diligent effort and
investment, the shift also provides clear opportunities for businesses to
differentiate from competitors based on how they approach-and
prove-cybersecurity practices.
With regulatory change coming on fast and unavoidably, the best thing
businesses can do is harness that change to their advantage.
Here
are three areas where compliance requirements will intensify in 2024:
1) The FTC Safeguards Rule
I'll
start with a change that affects countless businesses and needs to be on just
about everyone's radar in 2024. The FTC Safeguards Rule requires any business under FTC
jurisdiction (and not that of another regulator) that "acts as a financial
institution" to have a capable and comprehensive information security program
in place protecting customers' financial data. The crucial detail that
businesses may find surprising: any business that regularly transfers money to
and from customers counts as a financial institution under this rule. Therefore,
millions of unsuspecting businesses, from mortgage lenders to tax prep services
to car dealerships, are now subject to regulatory compliance and on the hook to
get their cybersecurity houses in order.
It's
worth noting that regulators have eagerly made examples of newly regulated
businesses that put sensitive financial data at risk, prioritizing
organizations that demonstrate the most egregious security practices as their
first targets. While it's tempting for businesses to learn the wrong lesson
from that targeting-i.e. "I only have to be the second slowest not to get eaten
by the lion"-the reality is that oversight and enforcement are expanding and
will catch up with any organizations that fail to meet their obligations.
The
FTC Safeguards Rule isn't something to mess with. A business that fails to meet
the rule's requirements may have regulators administering fines of $100,000 per
violation, as well as the possibility of additional fines that target business
leaders individually. Businesses that fail to align financial data security with
required best practices may also put their licensing at risk.
While
the FTC Safeguards Rule was written in 2021, the deadline for compliance was
pushed back until June 2023. Since then, affected businesses have been fully
exposed to compliance enforcement...whether they've been aware of it or not.
Businesses that aren't prepared must take immediate action: the risk of
penalties will only increase as regulators gear up for tighter enforcement in
2024 and beyond.
2) HIPAA
While
HIPAA is no stranger to anyone working with patient data, many organizations
are unaware of recent updates to the government's 405(d) Health Industry
Cybersecurity Practices (HICP) guidelines. While HIPAA still calls for careful
protections and practices such as data encryption, access control, workforce
training programs, and regular risk assessments, the
HICP publication
now includes guidance for helping healthcare businesses select managed service
provider (MSP and MSSP) partners for cybersecurity. This tacit acknowledgment
that HIPAA requirements have grown too complex (and the threats too large) for
small healthcare-overlapping businesses to comply with independently is a sea
change from previous guidance, which framed compliance in "do it yourself"
terms.
That
said, another recent change expands the strategies available to businesses when
it comes to implementing HIPAA-compliant practices. The bill H.R.7898 now maps
HIPAA to modern cybersecurity standards including NIST CSF and ISO 27001,
offering businesses more specific guidance for aligning their security
protections with effective recognized controls.
HIPAA
enforcement is also changing, with fines now sized with a business's means in
mind. Counterintuitively, this has made HIPAA fines more dangerous.
Previously, HIPAA fines reached into the seven figures and were clearly extinction-level
events for almost any SMB healthcare business-but were seen as rarely enforced
upon practices without that kind of cash available. Now, HIPAA regulators are
levying $35,000-$50,000 fines per violation with the full expectation of
payment, and increasing enforcement into 2024.
3) CMMC
All
businesses acting as contractors or subcontractors in the Department of
Defense's supply chain-and any businesses that want in on those
lucrative contracts-must achieve Cybersecurity Maturity Model Certification
(CMMC) and comply with the DFARS 252.204-7012 clause. DFARS 7012 requires
businesses to protect controlled data with cybersecurity practices aligning
with NIST 800-171 controls and some extra requirements. CMMC provides third-party
assessment and certification that a business meets those NIST controls.
However,
change is coming for businesses that comply with CMMC, or aspire to. CMMC
2.0 is scheduled
for implementation in 2025. At the same time, CMMC is in a dynamic moment, calling
for businesses in 2024 to demonstrate vigilance in keeping aware of emerging
developments and changes to CMMC requirements.
Make cybersecurity compliance an advantage in 2024
2024
figures to be a year when businesses across industries feel new and acute
pressure to get serious about cybersecurity, and when many will stand apart and
win new customers' trust by doing just that. Soon enough, serving as worthy custodians of private
data will become table stakes to even earn consideration from potential
customers and partners, making compliance with recognized cybersecurity
frameworks into essential credentials. While the stick driving compliance in
2024 comes down to greater enforcement and penalties, the carrot businesses
should strive to reach is market differentiation provided by cybersecurity excellence.
##
ABOUT THE AUTHOR
Cam
Roberson is Vice President at San Jose-based Beachhead Solutions, whose cloud-based platform
provides PC & device encryption, security, and access controls necessary
for compliance to CCMC 1 & 2, FTC Safeguards, HIPAA, ISO 27001, NIST
guidelines, and more. Cam began his career with Apple Computer, where he held
several senior product management roles in the computing and imaging divisions.