Regulatory changes and their impact on GRC

The ever-shifting regulatory landscape impels organizations to constantly recalibrate their GRC strategy according to all relevant laws and regulations. Information Security (InfoSec) leaders and risk and compliance professionals have the responsibility to not only keep track of new legislation but also prepare for any changes and improvements in current ones to maintain their compliance. This 2024, we anticipate the emergence of new laws and updates to existing standards and frameworks. Here are some of the big cyber compliance events that you should be across:

CPS 230 Operational Risk Management

The Australian Prudential Regulation Authority (APRA) first published the CPS 230 Operational Risk Management standard last July 2023. The standard aims to ensure resilience against operational risks and disruptions for entities regulated by the APRA.

Starting January 1st, 2024, ARPA-regulated entities are required to implement CPS 230 and have until July 2025 to demonstrate full compliance with the requirements of the standard, which include identifying, mitigating, managing, and monitoring operational risks through effective internal controls; delivering critical operations amidst disruptions through a credible business continuity plan; and effectively managing risks associated with service providers through a comprehensive service provider management policy.

California Delete Act

The California Delete Act also went into effect on January 1, 2024, after being passed into law in October of 2023. The law provides California residents full control over their data and grants them the right to demand data brokers to “delete” their personal information. This limits the use of consumer data for profiling, targeting, and other potentially harmful purposes. California data brokers must comply with the mandatory requirements and implement a data deletion system by January 2026 or they may face legal action.

Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a regulatory framework by the European Union that enforces requirements for the information and communication technology (ICT) security systems of financial entities. It was published last November 2022 and entered into force last January 2023, providing key measures on ICT risk management, third-party oversight and risk management, incident management and reporting, information sharing, and digital operational resilience testing.

In January this year, new regulatory technical standards were published under the Digital Operational Resilience Act. These standards specify the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents, and significant cyber threats.

As mandated by the EU, all financial institutions must complete the implementation of the framework by January 2025 and comply with its mandatory requirements, such as submitting a detailed root cause analysis report to the relevant authorities within one month following a significant ICT incident.

NIST CSF 2.0

Meanwhile in February, the National Institute of Standards and Technology (NIST) released NIST CSF 2.0, the first update to its widely used Cybersecurity Framework since its creation in 2014.

The NIST CSF is designed to guide organizations in managing cyber risks through effective practices and controls. Key changes in the NIST CSF 2.0 include the incorporation of a new core function, Govern, which focuses on governance as the foundation of a cybersecurity risk management strategy. The original five core functions of the framework: Identify, Protect, Detect, Respond, and Recover, were also restructured.

Although it is recognized as a global standard for cybersecurity management, compliance with the framework is voluntary.

ISO 27001:2022/Amendment 1

Also in February, the International Organization for Standardization (ISO) launched Amendment 1 to its ISO 27001 2022 version. ISO 27001 is the world’s best-known standard that defines the requirements for an Information Security Management System (ISMS). It was released in October 2005, revised in 2013, and then again in 2022.

ISO 27001/Amendment 1 introduces requirements for organizations that consider climate change as a relevant risk to their information security management system.

Getting an ISO 27001 certification showcases an organization’s commitment to information security, cybersecurity, and privacy protection, therefore enhancing customer trust and opening more opportunities for revenue growth. This is why complying with ISO 27001 is of great importance to most organizations even though the standard is voluntary.

Australian Information Security Manual (ISM)

The Australian Information Security Manual (ISM), first released by the Australian Signals Directorate (ASD) in 2021, also got an update in March this year. It provides organizations with a cybersecurity framework to protect their systems and data from cyber threats. The new update amended a few guidelines for communications infrastructure, enterprise mobility, ICT equipment, system hardening, and cryptography.

PCI DSS v4.0

On March 31, 2024, the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 was also retired as the PCI DSS version 4.0 was officially implemented, affecting all entities that collect, process, and transmit cardholder data.

Version 4.0 places emphasis on a risk-based approach and continuous monitoring and testing with increased focus on data protection and cloud and service providers. Organizations can gradually transition to PCI DSS v4.0 until March 31, 2025, after which it will become mandatory.

EU regulations on AI

The use of artificial intelligence has led to several advancements not just in the world of cyber GRC but also in various fields like healthcare and retail. To promote the ethical, trustworthy, and accountable use of AI by organizations, responsible AI standards and frameworks have been introduced to regulate the development and deployment of AI systems.

Now, CNBC reported last March 13, 2024, that the European Union already approved its first major set of regulatory ground rules to govern the use of AI technologies, particularly in media-related applications or platforms. The regulation is anticipated to come into effect by May 2024, further reinforcing the objectives of previously established responsible AI frameworks like the NIST AI RMF and ISO 42001.

SEC Cybersecurity Rules

The U.S. Securities and Exchange Commission (SEC) enacted new mandatory Cybersecurity Rules last July 2023, requiring public companies to disclose all material cybersecurity incidents as well as information regarding their cybersecurity risk management and governance. The deadline for implementation for large companies was in December 2023 while small companies have 180 days or until June 2024 to secure their compliance. Organizations are also required to conduct periodic reviews of compliance measures.

NIS 2 Directive

Lastly, the deadline for implementation of the European Union’s Network and Information Systems 2 (NIS 2) Directive is also coming this October 17, 2024. NIS 2, which was an expansion of the EU’s original NIS Directive that set cybersecurity requirements for network and information systems, was first introduced in 2020 and came into effect last January 2023. Entities in the UK that provide essential and important services, including companies and suppliers, are required to comply with the Directive’s requirements, such as reporting security incidents to national authorities within 24 hours.

Achieve multi-framework compliance with 6clicks

Secure your compliance with these new regulatory requirements through 6clicks’ AI-powered Security Compliance, IT Risk Management, Vendor Risk Management, and Issues & Incident Management capabilities. 6clicks automates and streamlines multi-framework compliance solutions for major standards and regulations such as the NIST CSF, ISO 27001, DORA, UK Cyber Essentials, and more.

6clicks also supports organizations in the responsible use and implementation of AI and compliance with AI frameworks such as the NIST AI RMF and ISO 42001 (guidelines for AI management systems). To learn more about responsible AI practices, such as performing an AI risk and system impact assessment, implementing AI-related controls, and more, download our free expert guide below:

Download the Responsible AI expert guide