Contents
Regulatory compliance is one of the most pressing issues organizations across sectors face. With the global regulatory environment developing, organizations often struggle to keep pace with new rules, updates to existing standards, and enforcement trends across jurisdictions.
As regulations frequently evolve, technology is pivotal in helping businesses monitor changes, perform risk assessments, and realign compliance programs adeptly. GRC platforms are purpose-built to help clients remain agile in the face of regulatory shifts.
Features like AI-based tracking of new regulations and automated policy updates enable responsiveness.
By outlining key risk areas and essential strategies to consider, we aim to help businesses in the tech and cybersecurity space prepare for the regulatory road ahead. Proactive planning and adaptation will growingly determine regulatory compliance success.
Understanding emerging regulations
Today, regulatory compliance has become critical for businesses, especially in technology and cybersecurity. Understanding and adhering to various regulations is about safeguarding your business, your clients, and the integrity of the digital ecosystem.
This section will dive into the complex regulatory environment, focusing on key regulations that impact the tech and cybersecurity sectors.
SEC Cyber Rules for Public Companies
The United States Securities and Exchange Commission (SEC) made new cybersecurity regulations for public companies and the changes that made it more difficult to hide "material" cybersecurity events and required organizations to give more information about their cybersecurity risk governance, expertise, and management. SEC implemented these changes to improve corporate governance and protection.
EU AI Act
The European Union released the EU AI Act to regulate the use of artificial intelligence in the region through a risk-based approach in categorizing AI systems based on their risk levels, from minimal to unacceptable risk.
NIST AI Risk Management Framework (RMF)
Dependent on leadership, the National Institute of Standards and Technology released the NIST AI Risk Management Framework (AI RMF) — a regulation emphasizing the importance of organizational structure in managing AI risks.
Digital Operational Resilience Act (DORA)
The EU also enforced the Digital Operational Resilience Act (DORA), a regulatory framework that aims to strengthen financial entities' resilience against cyber threats and technological disruptions by introducing stricter requirements and principles for managing Information and Communication Technology (ICT) risks, including a framework for monitoring risks from third-party service providers.
Managing regulatory compliance challenges
The changing regulatory landscape
Technological advancements and global economic shifts drive the regulatory environment in constant flux. For instance, the United States Securities and Exchange Commission (SEC) adopted new cybersecurity requirements for publicly traded companies. SEC's changes created new regulations for reporting "material" cybersecurity incidents and required a more detailed disclosure of cybersecurity risk governance, expertise, and management, aiming to strengthen corporate governance and protection.
In disclosing their cyber risk governance and strategy, public companies should define their measures for identifying, evaluating, and managing risks.
On the other hand, public companies should report cybersecurity material incidents within four business days after identifying that an attack occurred.
Cybersecurity and data privacy
As cyber threats become more sophisticated, regulations are evolving to implement more stringent security measures. The Network and Information Systems (NIS) Directive in the EU and similar regulations globally require companies to implement specific cybersecurity protocols. Failure to comply can result in hefty penalties.
In the U.S., five consumer data privacy regulations have taken effect in 2023 — the Utah Consumer Privacy Act, the California Consumer Privacy Rights Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act.
At the same time, the states of Washington, Florida, Texas, Montana, and Oregon have privacy regulations taking effect in 2024.
Emerging technologies and compliance
Emerging technologies like artificial intelligence (AI) and blockchain present new compliance challenges. Regulators are still catching up, creating a landscape of uncertainty.
This gap creates a complex environment where businesses must tread lightly, often adapting to new rules that might not fully address the nuances of advanced technologies.
They may often find themselves ahead of regulations or caught off-guard by sudden legislative changes, especially in data privacy, cybersecurity, AI ethics, and digital transactions.
The National Institute of Standards and Technology has also released the NIST AI Risk Management Framework (AI RMF), which depends on leadership as its foundation. It emphasizes the importance of organizational structure in managing AI risks. It includes creating a culture of risk management and aligning AI processes with existing risk management principles, policies, and legal requirements.
The EU also released the EU AI Act, which could serve as the main framework for regulating the use of artificial intelligence in the region. The Act takes a risk-based approach in categorizing AI systems based on their risk levels, from minimal to unacceptable risks.
This approach allows for a balanced regulatory response proportional to the potential harm of different AI applications.
Globalization and jurisdictional overlaps
Globalization has led businesses to expand their operations across borders, but this expansion brings a patchwork of regional and country-specific regulations. These regulations can often be conflicting or contradictory, making compliance challenging.
For instance, Canada is discussing the Digital Charter Implementation Act of 2022, which could replace the existing PIPEDA regulation. This new framework includes the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), focusing on regulating AI systems using a risk-based approach.
Companies operating in multiple jurisdictions must navigate numerous local, regional, and international regulations. That often requires a localized approach to compliance, making GRC efforts more resource-intensive.
Increasing threats and disruptions
Based on Kroll's 2023 Fraud and Financial Crime Report, money laundering amounts to more than $800 billion annually, and 68% of risk analysts and global leaders expect financial crime to increase next year.
In addition, 56% of the respondents believed that emerging tech was one of the biggest threats in addressing financial crime, with data and cybersecurity breaches being the biggest contributing factors.
To address this challenge, the EU enforced the Digital Operational Resilience Act (DORA), a regulatory framework that aims to strengthen the financial entities' (including banks, insurance companies, investment firms, and ICT third-party service providers) resilience against cyber threats and technological disruptions.
It also introduced new oversight policies to monitor critical ICTSPs and their activities. Under this new regulation, financial institutions must conduct due diligence on potential ICTSPs, document contracts, and report their involvement to competent authorities.
Financial entities and ICT service providers in the EU will need to assess and adapt their operational frameworks to ensure compliance with DORA's extensive requirements to strengthen the financial sector's digital operational resilience.
Steps for addressing regulatory challenges
Keeping up with the regulatory changes can be challenging due to the law's changing nature and the complexity of compliance requirements across different jurisdictions.
To effectively manage these challenges, organizations should:
Closely track regulatory changes and enforcement trends
Organizations must establish policies to monitor regulatory developments continuously. That can include understanding enforcement trends to anticipate areas of heightened scrutiny better.
Conduct impact assessments for new regulations
Assessing the impact of new regulations on current operations is crucial. That often involves understanding how new rules may affect existing processes and what changes are needed to ensure compliance.
Allot resources and budget for regulatory compliance
Adequate resources, including budget and personnel, must be allocated for compliance activities. That ensures that the organization can effectively respond to regulatory changes.
Leverage technology and AI
Advanced technologies, like GRC platforms combined with AI, can be pivotal in helping organizations understand and meet their compliance obligations. GRC platforms introduce automation and scalability, while AI engines can analyze vast data to help with cross-compliance mapping to help achieve compliance with multiple standards faster, as well as help through new generative style capabilities, such as auto-responding to audits and assessments or generating control definitions.
6clicks combines both workflows to automate risk and compliance activities with intelligent AI to expedite the compliance process and garner more informed decisions.
Tech and cybersecurity regulations are complex but navigable with the right approach and tools. Organizations can comply with legal requirements and enhance operational efficiency and credibility by understanding key regulations, leveraging GRC software and AI, and through adopting best practices.
The bottom line
As regulatory compliance grows more complex, organizations must take a strategic approach to navigate the challenges. Through our experience helping clients across industries with their GRC programs, we have found several best practices to be critical.
First, businesses must incorporate agility into their compliance strategies. Manual tracking and spreadsheet-based management can no longer suffice as regulations frequently change and are becoming more complex. Leveraging GRC technology solutions is vital for managing regulatory developments across jurisdictions and ensuring on-going compliance.
Second, organizations should cultivate a culture of compliance, emphasizing its importance at all levels. When compliance is valued company-wide, policies translate into daily habits and behaviors.
Lastly, vigilance is key. Conducting ongoing risk assessments, audits, and training reinforces compliance discipline. Monitoring enforcement trends also provides insight into regulators' focal points. By staying informed and proactive, organizations can identify and mitigate regulatory risks early.
With the right GRC technology partner and strategies, businesses can overcome regulatory challenges, drive new efficiencies, and unlock opportunities for sustainable growth. By taking a proactive approach, the regulatory road ahead appears navigable.
Written by Louis Strauss
Louis began his career in Berlin where he also founded Dobbel Berlin – Berlin’s curated search engine. Returning to Melbourne to join KPMG, Louis lead the development of software designed to distribute IP and create a platform for us by advisors and clients. While at KPMG, Louis also co-authored Chasing Digital: A Playbook for the New Economy. Louis is accomplished in stakeholder management, requirements gathering, product testing, refinement and project implementation. Louis also holds a Bachelor of Engineering and a Masters of Information Systems from the University of Melbourne.
