Virtualization Technology News and Information
Article
RSS
Beachhead Solutions 2024 Predictions: 3 Things to Know as Cybersecurity Compliance Gets More Intense in 2024

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

3 Things to Know as Cybersecurity Compliance Gets More Intense in 2024

By Cam Roberson is Vice President at Beachhead Solutions

The cybersecurity compliance pressures felt by businesses across industries will intensify heading into 2024, as new laws and regulatory initiatives will require even more attention and sophisticated security capabilities. The day is fast approaching when any organization doing business in the U.S. will see its cybersecurity practices fall under regulatory oversight.

While the process of adapting to this new normal will require diligent effort and investment, the shift also provides clear opportunities for businesses to differentiate from competitors based on how they approach-and prove-cybersecurity practices. With regulatory change coming on fast and unavoidably, the best thing businesses can do is harness that change to their advantage.

Here are three areas where compliance requirements will intensify in 2024:

1) The FTC Safeguards Rule

I'll start with a change that affects countless businesses and needs to be on just about everyone's radar in 2024. The FTC Safeguards Rule requires any business under FTC jurisdiction (and not that of another regulator) that "acts as a financial institution" to have a capable and comprehensive information security program in place protecting customers' financial data. The crucial detail that businesses may find surprising: any business that regularly transfers money to and from customers counts as a financial institution under this rule. Therefore, millions of unsuspecting businesses, from mortgage lenders to tax prep services to car dealerships, are now subject to regulatory compliance and on the hook to get their cybersecurity houses in order.

It's worth noting that regulators have eagerly made examples of newly regulated businesses that put sensitive financial data at risk, prioritizing organizations that demonstrate the most egregious security practices as their first targets. While it's tempting for businesses to learn the wrong lesson from that targeting-i.e. "I only have to be the second slowest not to get eaten by the lion"-the reality is that oversight and enforcement are expanding and will catch up with any organizations that fail to meet their obligations.

The FTC Safeguards Rule isn't something to mess with. A business that fails to meet the rule's requirements may have regulators administering fines of $100,000 per violation, as well as the possibility of additional fines that target business leaders individually. Businesses that fail to align financial data security with required best practices may also put their licensing at risk.

While the FTC Safeguards Rule was written in 2021, the deadline for compliance was pushed back until June 2023. Since then, affected businesses have been fully exposed to compliance enforcement...whether they've been aware of it or not. Businesses that aren't prepared must take immediate action: the risk of penalties will only increase as regulators gear up for tighter enforcement in 2024 and beyond.

2) HIPAA

While HIPAA is no stranger to anyone working with patient data, many organizations are unaware of recent updates to the government's 405(d) Health Industry Cybersecurity Practices (HICP) guidelines. While HIPAA still calls for careful protections and practices such as data encryption, access control, workforce training programs, and regular risk assessments, the HICP publication now includes guidance for helping healthcare businesses select managed service provider (MSP and MSSP) partners for cybersecurity. This tacit acknowledgment that HIPAA requirements have grown too complex (and the threats too large) for small healthcare-overlapping businesses to comply with independently is a sea change from previous guidance, which framed compliance in "do it yourself" terms.

That said, another recent change expands the strategies available to businesses when it comes to implementing HIPAA-compliant practices. The bill H.R.7898 now maps HIPAA to modern cybersecurity standards including NIST CSF and ISO 27001, offering businesses more specific guidance for aligning their security protections with effective recognized controls.

HIPAA enforcement is also changing, with fines now sized with a business's means in mind. Counterintuitively, this has made HIPAA fines more dangerous. Previously, HIPAA fines reached into the seven figures and were clearly extinction-level events for almost any SMB healthcare business-but were seen as rarely enforced upon practices without that kind of cash available. Now, HIPAA regulators are levying $35,000-$50,000 fines per violation with the full expectation of payment, and increasing enforcement into 2024.

3) CMMC

All businesses acting as contractors or subcontractors in the Department of Defense's supply chain-and any businesses that want in on those lucrative contracts-must achieve Cybersecurity Maturity Model Certification (CMMC) and comply with the DFARS 252.204-7012 clause. DFARS 7012 requires businesses to protect controlled data with cybersecurity practices aligning with NIST 800-171 controls and some extra requirements. CMMC provides third-party assessment and certification that a business meets those NIST controls.

However, change is coming for businesses that comply with CMMC, or aspire to. CMMC 2.0 is scheduled for implementation in 2025. At the same time, CMMC is in a dynamic moment, calling for businesses in 2024 to demonstrate vigilance in keeping aware of emerging developments and changes to CMMC requirements.

Make cybersecurity compliance an advantage in 2024

2024 figures to be a year when businesses across industries feel new and acute pressure to get serious about cybersecurity, and when many will stand apart and win new customers' trust by doing just that.  Soon enough, serving as worthy custodians of private data will become table stakes to even earn consideration from potential customers and partners, making compliance with recognized cybersecurity frameworks into essential credentials. While the stick driving compliance in 2024 comes down to greater enforcement and penalties, the carrot businesses should strive to reach is market differentiation provided by cybersecurity excellence.

##

ABOUT THE AUTHOR

Cam Roberson

Cam Roberson is Vice President at San Jose-based Beachhead Solutions, whose cloud-based platform provides PC & device encryption, security, and access controls necessary for compliance to CCMC 1 & 2, FTC Safeguards, HIPAA, ISO 27001, NIST guidelines, and more. Cam began his career with Apple Computer, where he held several senior product management roles in the computing and imaging divisions.

Published Thursday, January 04, 2024 7:39 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2024>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910