Cybersecurity Compliance: What you need to know
“The cost of not following cybersecurity compliance can far exceed the price of following it” – Neil Armstrong
Even though compliance can appear to be a hassle or a set of checklists and boxes to tick. For instance, a framework can easily hit the 300 pages. However, frameworks are important because they are here to help, they simply translate the business risk in guidelines to keep your organization secure against cyberthreats. If compliance seems complex, dealing with a breach is much more complicated.
Who is concerned by compliance?
With the rise of cyber threat, compliance now concerns almost all sectors and organizations of all sizes. Here are few examples of regulations:
> HIPAA for the healthcare sector to protect patients’ data.
> PCI-DSS for financial organizations and ecommerce companies securing cards information.
> General Data Protection Regulation (GDPR) for any company handling European citizens’ personal data.
> NIS 2, DORA and NIST 2.0 which will be covered below.
Why do we need compliance?
> Data Protection and security enhancement: Complying to regulatory requirements ensures that organizations are taking the needed measures to secure critical data. Preventing data breaches that could result in tremendous financial loss and reputational damages.
> Legal Requirements: Most cybersecurity regulations are mandatory or will be mandatory soon. Not complying can have important consequences on organizations such as fines and serious legal actions.
> Customer Trust: Complying to regulatory requirements reassure customers and partners. Helping your organization to build trust protecting customers’ data and privacy.
Cyber Insurance: Beyond legal requirements, cyber insurance companies require compliance with regulations to avoid high cost of insurance policies. Failing to comply can result in claims denial.
Let’s break down recent directives and frameworks.
NIS2:
The NIS2 directive was published in January 2023, by the European Union’s inaugural Network and Information Security (NIS), to update the original NIS directive of 2016. The new directive enforces stricter security requirements and covers a wider range of industries including any third party and service provider supporting them. Failing to comply with the NIS2 directive can have substantial consequences that can go up to €10M or 2% of the organization’s revenue. By October 2024, all the EU countries will integrate the NIS2 directive into their laws and they will submit a list of their “Essential” and “Important” entities to the commission before April 2025.
Main measures:
> New sectors were added to the “Essential” and “Important” entities, whether public or private: Digital providers, waste and water management, foods, critical chemical manufacturing (such as pharmaceutical and medical), space, postal services, social media platforms, public administrations and so on.
All organizations with 50 or more employees are concerned with NIS2. However, each European country can decide if a specific small organization must comply or not. Each country can create its proper “Essential Entities”.
Entities that are already under equivalent measures to NIS2 are not concerned.
> The distinction between Essential Operators of Services and Digital Service Providers is no longer valid and we now have two categories of entities: “Essential” and “Important”.
> The reinforcement of supply chain security and supplier relationships by requiring risk assessments from concerned countries in collaboration with the ENISA.
> The NIS2 directives do not apply when other sector-specific directives are more stringent than the NIS 2.
Since the NIS 2 directives do not cover all the security applications for the financial sector, the DORA (Digital Operational Resilience Act) comes in to improve and harmonize the security requirements among the EU members. Therefore, becoming the directives to take into consideration in regards of the financial sector.
The Digital Operational Resilience Act – DORA
The first draft of DORA was published in September 2020 within the framework of the Digital Finance Package (DFP) by the European Commission. DORA, then entered into force in 2023 expecting entities to comply by January 2025 and to follow guidelines covering risk management, resilience testing, and third-parties security. Hence, mandating financial organizations to have full control over their suppliers in an attempt to secure the entire supply chain.
Consequently, even though the DORA regulations are destined to the European companies, any international supplier who works with the EU will also have to comply.
Main measures:
DORA relies on 5 main pillars to address the cybersecurity of the financial sector:
> ICT risk management: In which DORA holds the financial institutions management entities responsible for managing cyber risks: controlling and monitoring their ICT systems.
> Incident reporting: In addition to managing risk, institutions’ managements are required to notify authorities about major ICT-related incidents. This pillar of DORA explains the procedure of informing the European Supervisory Authorities (ESA) in the case of an incident.
> Digital resilience testing: Which requires financial institutions to assess their readiness for threats by bringing an external independent party for testing at least once a year.
> Information sharing: contributing to raising awareness among financial institutions and enhancing the spread of best prevention and recovery practices.
> ICT third-party risk management: Given the rise of supply chain attacks, the DORA directives focus on third party risk management. By requiring specific clauses in legal contracts about access and data security as well as the right of audit and inspection. An up-to-date register of these contracts must be maintained.
The NIST Cybersecurity Framework 2.0 (NCF 2.0)
The National Institute of Standards and Technology (NIST) establishes worldwide standards that are highly recognized in the industry. Cyber insurance companies rely on it to define their policies and requirements. The Irish National Cyber Security Center (NCSC) uses the NIST frameworks as a foundation to list their cyber regulations in regards of the public sector.
NIST released a draft of the NCF 2.0 in August 2023 making significant changes to the 1.0 and 1.1 versions. It came to broaden the sector scope, similarly to the DORA regulation, and covering all organizations of all sizes from all geographical locations. Additionally, they added one more pillar to the 5 existing pillars (Identify, Protect, Detect, Respond, and Recover) which is Govern.
The 6 Pillars of the NCF 2.0
cyberelements can help you comply to NCF 2.0:
> Continuous Monitoring and Adverse Event Analysis:
The session monitoring and real time analysis feature of the cyberelements platform allows you to set security postures based on which any suspicious activity will be detected and automatically stopped.
> Technology Infrastructure Resilience – PR.IR-02: The organization’s networks and environments are protected from unauthorized logical access and usage:
Policy based access control backed with Multi-Factor Authentication and just-in-time access make sure that the right user gets access to the needed resources limiting any unnecessary access.
> Platform Security – PR.PS-01: Configuration management practices are applied (Least Privilege and least functionality):
The cyberelements platform is based on a double barrier architecture with no ongoing flow to the network, volatile tunnels, and on-demand port opening. Adopting by that a Zero Trust approach giving user the least privilege possible.
– PS-04: Log records are generated for cybersecurity events and made available for continuous monitoring. – PR.PS-08: Supply chain security practices are integrated, and their performance is monitored throughout the technology product and service life cycle:
The key features responding to this rule are the session recording in a video format and the granular logs that can be searched and saved for further use.
> Identity Management, Authentication, and Access Control: Access to physical and logical assets is limited to authorized users, processes, and devices, and is managed commensurate with the assessed risk of unauthorized access:
With the use of a set of Identity and Access Management features, cyberelements covers this category of the NCF 2.0. With its identity-based access policies functionality, Single Sign-On, and password vault cyberelements allows organizations to secure credentials with advanced technologies.
> Supply Chain Risk Management: The organization’s supply chain risks are identified, assessed, and managed consistent with the organization’s priorities, constraints, risk tolerances, and assumptions:
cyberelements, as a Zero Trust PAM solution, secure third-party access whether it is remotely or on premises. You can give a temporary access to a highly monitored session for a third party. Additionally, thanks to the password rotation technology and automatic injection, your credentials won’t be exposed to any of your service providers.
cyberelements is the security platform for business performance. It has been designed to cover your security needs without compromising user experience. Cyber compliance should not be a hassle but a lever for business performance where security goes hand in hand with a better user experience, encouraging workforces to apply the appropriate security measures.