The Computer Weekly Security Think Tank considers how security leaders should best navigate the multitude of new national and multinational regulations affecting their work, and ensure their organisations remain compliant and protected.
By
- Adam Stringer, PA Consulting
Published: 13 Jan 2025
It’s not easy for firms to understand how to comply with global security and resilience regulation; there’s no single place where all regulation comes together and it’s often down to regional compliance teams and security leaders to interpret policies, which leads to a lack of joined up thinking and extremely siloed approaches.
However, although there will always be nuances based on the geographical jurisdiction where a firm operates, there are several global regulatory themes emerging:
- Operational resilience and security are now as important as financial resilience
- Transparency and timely reporting are key
- Focus on foundational cyber controls
- Do the right thing for your customers and the rest will follow.
Operational resilience and security are now as important as financial resilience
A number of regulations focus on the need to identify the most important services that a firm offers to their customer and markets and to make them secure above all else. Examples include the Building operational resilience regulations in the UK and the Digital Operational Resilience Act (DORA) in the EU.
These regulations have come about because there’s a belief that firms often focus on financial resilience, but outages caused by exploitation of vulnerabilities or operational failure were occurring too regularly and disrupting customers’ lives. There have been many examples of major outages in recent years caused by cyber as well as operational and supply chain issues, including Crowdstrike, WannaCry and multiple outages impacting the airline industry.
Firms need to identify their most important services and protect the infrastructure needed to run them. This is typically achieved by working out how much harm would be caused by a service outage and then tiering services accordingly. The most important services should receive the most investment and protection.
Transparency and timely reporting are key
When things do go wrong, regulators are keen to understand the detail. A number of regulations globally focus on the need to report security, cyber and resilience issues in a timely manner. Examples include the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US, reporting requirements under DORA in the EU and breach notification for privacy related incidents globally, such as under the GDPR.
Firms should make sure that they can report cyber and operational incidents in a timely manner, including understanding who will draft and approve the notification and who will liaise with each regulator. Regulators then need to be kept informed as the incident progresses, including what the organisation is doing to resolve the incident.
Each jurisdiction may have different timescales for reporting and so keeping a log of regulations and reporting requirements (updated at least monthly) is important. There are tools that can automate this which might reduce the effort required for large global organisations to keep up-to-date with regulatory reporting requirements.
Focus on foundational cyber controls
Some jurisdictions are heavily endorsing a focus on foundational cyber controls. For example, in the US any firm that wants to offer cloud services to the federal government needs to be certified under the FedRAMP scheme to ensure that baseline cyber controls are in place.
Recognised standards such as ISO27001 and NIST CSF have become a focus for firms who want to demonstrate that they are continually improving their cyber controls. They are also useful for board reporting where members of the board need to understand their firm’s relative cyber maturity.
Firms should be reviewing the maturity of their cyber controls at least annually and against a recognised standard. This is just as important for non-technical controls; for example, making sure that teams are trained to spot phishing attacks, that there’s regular exercising and simulation for incident response and that cyber and resilience leadership behaviours are fully aligned with protecting the firm and its customers.
Do the right thing by your customers and the rest will follow
It’s implicit in most new regulations that a focus on protecting customers will lead to better security outcomes overall. Some jurisdictions have gone further and released regulation to protect these outcomes (such as Consumer Duty in the UK Financial Services industry).
Often when the worst happens, how a firm helps its customers to deal with the disruption is a crucial (but often forgotten) part of the response. The aftermath of a cyber-attack can last for months and years with the almost inevitable investigations, (some driven by regulatory requirements) that follow.
Whilst the old saying ‘always bank with a bank that’s just been robbed’ might be a little contrived, there is an element of the ‘anti-fragile’ in that, a firms’ operations gain strength by being stressed from time to time. Firms are often judged on the strength of their response to customers and markets; those that get it right are often able to emerge stronger and more resilient.
Governments are always keen to emphasise the importance of reducing regulatory burdens and nobody can argue that regulation shouldn’t slow innovation. However, there’s a general perception that the public, consumers and markets have been under-protected from cyber and operational impacts and regulators are now addressing these concerns. This means we’re unlikely to see the focus shift away from cyber, operational resilience and supply chain regulation any time soon.
Adam Stringer is head of cyber, privacy and operational resilience in financial services at PA Consulting
