In 2023, we witnessed the continued expansion of the threat landscape. The year saw a notable surge in ransomware attacks compared to 2022, accompanied by a significant rise in data breaches that reached an all-time record. It was a year that we saw 1 in 4 people have their health records exposed.
Conversely, 2023 proved to be an active year for cybersecurity compliance efforts, driven by both government and industry initiatives aimed at mitigating the disruptive impact of mounting cyberattacks. Here is a summary of some notable compliance events that unfolded during the dynamic year.
State Privacy Laws
Following California’s introduction of the California Consumer Privacy Act (CCPA), we witnessed a growing number of states joining the privacy regulation trend:
- Virginia’s privacy law became enforceable on January 1, 2023.
- Privacy laws in Colorado and Connecticut took effect on July 1, 2023.
- Utah’s privacy law marked the final addition of the calendar year, becoming enforceable on December 31, 2023.
- California also introduced new amendments that became effective in January.
Additionally, eight states have enacted comprehensive consumer privacy laws:
- Florida, Oregon, and Texas will enforce their privacy laws starting on July 1, 2024.
- Montana’s privacy law takes effect on October 1, 2024.
- Delaware and Iowa are set to implement their privacy laws on January 1, 2025.
- Tennessee’s law will come into effect on July 1, 2025.
These legislations pertain to the collection of consumer data by commercial entities. Although there is substantial commonality among these laws, companies need to familiarize themselves with the specifics of each state’s privacy regulations and establish a comprehensive privacy and cybersecurity program to ensure compliance across multiple state privacy laws simultaneously. Several other states have begun drafting their own privacy laws which will only add to the complexity.
The New PCI DSS v4.0
PCI DSS Version 4.0, released in March 2022, has prompted companies to proactively address new requirements. These updated standards will come into effect on April 1, 2024, with additional changes slated for one year later. Key highlights for companies to note include:
- Mandatory implementation of multi-factor authentication (MFA) for all accounts with access to cardholder data.
- Passwords must now meet minimum complexity requirements and be at least 12 characters long.
- A limit of 10 unsuccessful login attempts, with a 30-minute lockout duration.
- Annual PCI compliance training for all employees handling credit card information, with regular review to align with the current threat landscape.
- Expanded scope of security vulnerabilities requiring remediation, encompassing all vulnerabilities regardless of severity.
- Encryption or robust protection of all stored sensitive authentication data is now mandatory for merchants.
- Organizations are required to deploy a web application firewall (WAF) for any web applications exposed to the Internet.
- Mandatory bi-annual reviews of access privileges.
A noteworthy change permits organizations to employ customized approaches to meet each requirement, encouraging innovative compliance solutions. With the deadline quickly approaching, it is imperative the new requirements and take steps to implement them to achieve compliance with the updated standards. Get more guidance on the specifics to transition to 4.0 with the PCI Webinar Series.
Cyber Insurance
In 2023, the cyber insurance landscape saw signs of stabilization. Insurance companies started regaining control after facing substantial losses during the COVID-19 years. Simultaneously, businesses adapted to the evolving landscape of cyber insurance premiums and policy prerequisites. While there are no universal standards amongst the various insurance firms, organizations seeking to obtain or renew a policy need to plan on meeting the following minimum requirements that took hold in 2023.
- Insurance providers often request a comprehensive risk assessment to gauge an organization’s risk profile and assess its vulnerability to cyberattacks.
- Multi-Factor Authentication (MFA) has become a near-mandatory requirement for privileged accounts and remote system access.
- Organizations are required to establish a well-documented incident response plan, detailing procedures to follow when incidents are detected.
- Insurers now anticipate businesses to conduct routine cybersecurity training for their employees.
- Consistent system, application, and device updates and patches are now considered standard practice.
- Companies are obligated to adhere to applicable cybersecurity regulations.
While not a legal requirement, cyber security insurance is strongly advisable for all businesses in light of the growing frequency of cyber threats. Such a policy can assist in covering expenses related to breaches, encompassing business interruptions, credit monitoring for affected customers, and public relations efforts. According to a Forrester Report, organizations equipped with cyber insurance encounter fewer breaches and demonstrate improved detection and response capabilities. This correlation is logical, as companies enhancing their security posture to qualify for cyber insurance inherently enhance their overall ability to mitigate cyber risks.
New SEC Requirements
The SEC adopted new rules on July 26 is another indicator of tightening regulatory compliance concerning Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. The move is a clear indication of the realization that ITC threats are a recognized material risk to financial organizations. The new directives are applicable to all publicly traded companies within the SEC’s jurisdiction. While IT and cybersecurity leaders are encouraged to acquaint themselves with the entirety of these new regulations, a pivotal requirement is the introduction of a standard necessitating the disclosure of cybersecurity incidents within four business days upon ascertaining their materiality. Furthermore, the SEC emphasizes that materiality determinations should be prompt and without undue delay. Another key requirement involves companies disclosing the cybersecurity expertise within their board of directors. This mandate underscores the SEC’s recognition of the critical role of cybersecurity knowledge in effective risk management.
For guidance on this complex topic:
Compliance Week Webinar: Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This.
Introducing DORA
One of the driving forces behind the surge in state-level data privacy regulations is the effort to catch up with global measures like the GPDC that took a proactive stance earlier. While it does not directly affect the U.S., a noteworthy development is the introduction of the Digital Operational Resilience Act (DORA) in January 2023. DORA aims to establish a unified framework for identifying and mitigating ICT risks within the financial sector, addressing potential inconsistencies, overlaps, and conflicts that exist among diverse regulations within EU member states. As numerous state privacy laws take shape, DORA could serve as an early indicator of future developments. Enforcement of this new directive is scheduled to commence on January 17, 2025.
Be Ready for 2024
Establishing and maintaining an effective security posture in today’s landscape is no simple feat. Likewise, navigating the expanding array of compliance regulations can be challenging.
Risk Mitigation and Compliance Assurance
Review your security profile and refine your risk mitigation and compliance assurance strategy. Our practitioners can help you achieve reasonable security.