New cybersecurity regulations going into effect in 2024 place unprecedented compliance demands on organizations. Some changes update existing regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Directive on Network and Information Security (NIS). Others introduce new regulations, such as the Securities and Exchange Commission's new cybersecurity disclosure rules, the Product Security and Telecommunications Infrastructure (PSTI) Act, the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA). Various changes affect organizations operating in the US, UK and EU. Here's a summary of new regulations your organization should prepare for in 2024.
1. SEC Cybersecurity Incident Disclosure Rules
Since 2011, the U.S. Securities and Exchange Commission has issued interpretive guidance on how to apply existing risk disclosure requirements to cybersecurity incidents, but without introducing new requirements specific to cybersecurity. In 2023, the SEC issued a new final rule on public company cybersecurity disclosures that began going into effect at the end of the year.
The new regulations include several updates to SEC forms and regulations:
- SEC Form 8-K adds Item 1.05, requiring registrants to disclose material cybersecurity incidents within four business days of determining their occurrence.
- SEC Regulation S-K adds Item 106, requiring registrants to disclose their cybersecurity processes, effects and risks of security incidents, and risk oversight and management expertise capability.
- SEC Form 6-K adds requirements for foreign private issuers to disclose information on material cybersecurity incidents.
- SEC Form 20-F add requirements for foreign private issuers to make periodic disclosures similar to the regulations for S-K Item 106.
As of June 15, 2024, all these regulations went into effect for companies of all sizes. Read more about the new SEC cybersecurity requirements.
Impact
The SEC can enforce compliance through significant fines and legal actions. Non-compliance can result in substantial penalties, legal risks, and damage to a company's reputation. Companies must implement robust cybersecurity incident response and disclosure procedures to avoid penalties and maintain investor confidence.
2. PCI-DSS 4.0
The payment card industry mandates the Payment Card Industry Data Security Standard for all card brands. PCI-DSS standards have been in place since 2004. The current standards encompass 12 requirements covering 6 general security areas:
Building and maintaining a secure network and systems- Requirement 1: Installing and maintaining network security controls
- Requirement 2: Applying secure configurations to all system components
- Requirement 3: Protecting stored account data
- Requirement 4: Protecting cardholder data with strong encryption during transmission over open, public networks
- Requirement 5: Protecting all systems and networks from malicious software
- Requirement 6: Developing and maintaining secure systems and software
- Requirement 7: Restricting access to system components and cardholder data to business need to know
- Requirement 8: Identifying users and authenticating access to system components
- Requirement 9: Restricting physical access to cardholder data
- Requirement 10: Logging and monitoring all access to system components and cardholder data
- Requirement 11: Testing security of systems and networks regularly
- Requirement 12: Supporting information security with organizational policies and programs
The standards include detailed requirements and testing procedures for each of these areas. The latest PCI-DSS 4.0 Standards introduce several major changes to previous versions:
- Shifting to a flexible framework stressing outcome-based controls rather than prescribed controls, allowing organizations to implement customized security solutions geared toward priority risks
- Emphasizing continuous security monitoring rather than overstressing prevention, encouraging organizations to address advanced persistent threats (APTs) and insider threats
- Expanding requirements for multi-factor authentication (MFA), encryption and key management to strengthen cloud network security
- Requiring stricter testing and validation procedures, including penetration testing, vulnerability scanning and application security assessments
- Expanding compliance due diligence to include third-party vendors throughout the supply chain
- Emphasizing security training to prevent social engineering and human error
Introducing requirements for incident response preparation to minimize the impact of security breaches
Organizations already following older PCI-DSS standards should conduct a review of their current compliance and a gap analysis of what changes need to be made to comply with the new standards.
Impact
The payment card industry security standards council (PCI SSC) has the authority to enforce compliance through fines and other penalties. Non-compliance with pci-dss 4.0 can result in fines of up to $100,000 per month, increased transaction fees, and potential loss of the ability to process payment cards. Organizations must conduct a thorough review of their current security measures and implement necessary changes to avoid penalties and ensure the security of cardholder data.
3. PSTI (Great Britain)
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) went into effect in the UK on April 29, 2024. PSTI legislation includes provisions to improve security of connected consumer devices and promote smoother rollout of gigabit-capable broadband and 5G networks. Here we will focus on the section of PSTI relevant to connected device security.
The PSTI Act seeks to ensure enforcement of secure manufacturing guidelines introduced in the UK by the 2018 Code of Practice for Consumer IoT Security and adopted in the EU under the 2020 European Telecommunications Standards Institute (ETSI). Limited manufacturer adoption of these standards prompted the PSTI Act, which adds regulatory force to security recommendations.
The Product Security measures of the PSTI Act cover consumer Internet-connectable and network-connectable devices such as connected speakers, connected cameras and smart TVs, with some specified exceptions allowed. The provisions apply to manufacturers, importers and distributors of these products. PSTI regulations require that:
- Connectable devices must use unique, user-defined, securely selected passwords rather than credentials that can be reset to easily-guessed factory defaults.
- Customers must be informed at the time of purchase of the minimum time window for devices to receive vital security patches and updates and must be informed if these are not available.
- Security researchers must provide a public contact point to reveal product flaws and bugs.
- Devices must include compliance statements.
Impact
The Department for Business and Trade (DBT) has authority through the Office for Product Safety and Standards (OPSS) to enforce PSTI compliance through civil and criminal penalties. Failure to comply can cost manufacturers fines of up to £10m or 4% of global turnover plus up to £20,000 a day for ongoing violations.
4. Cyber Resilience Act (CRA)
The EU's European Cyber Resilience Act (CRA) is proposed legislation projected to go into effect following the June 2024 EP elections. Under the EU's New Legislative Framework, it introduces cybersecurity rules governing products with digital elements (PDEs). It covers hardware elements such as mobile phones, laptops and smart appliances as well as software elements such as operating systems, word processing programs, and mobile apps. It does not cover certain excluded items governed by other legislation, such as connected cars, medical equipment and aeronautical equipment. It applies to the entire product lifecycle and supply chain, including manufacturers, importers and distributors.
Proposed CRA provisions require that:
- Cybersecurity requirements must be met before PDE products go to market, with due diligence obligations extending to third-party component suppliers.
- Manufacturers must manage product vulnerabilities through regular security tests, patches, disclosures and clear documentation over a support period of no less than five years, except for products with shorter periods of intended use.
- Organizations must perform internal risk assessments, but may designate authorized representatives as external points of contact for purposes such as communicating with market surveillance authorities.
- Manufacturers must maintain records on PDE product manufacture and component parts and retain them for 10 years after PDEs go to market.
- Manufacturers must disclose actively exploited vulnerabilities within 24 hours.
Impact
Under the CRA, proposal, non-compliance can incur administrative fines of the greater of up to €15 million or 2.5% of an organization’s global annual turnover, with fines of €5 million or 1% of global annual turnover for organizations that mislead authorities.
Open-source organizations and other affected parties have lobbied for changes to the CRA. As of July 2024, the CRA still awaits passage.
5. DORA
The EU's Digital Operational Resilience Act (DORA) aims to strengthen the IT security of financial service providers, including banks, insurance companies and investment firms. It harmonizes rules applying to 20 different types of financial entities and third-party information and communications technology (ICT) providers. DORA goes into effect on January 22, 2025.
An overview of DORA highlights six key areas the legislation encompasses:
- ICT risk management frameworks must be implemented by financial institutions to identify, evaluate, manage and track threats.
- ICT risk management responsibilities extend to contracts with third-party providers.
- Mandatory digital operational resilience testing must be conducted regularly, including penetration testing of live production systems every three years to identify and counter vulnerabilities.
- Major ICT-related incidents must be reported to authorities.
- Information sharing on cyber threat intelligence is encouraged but not required.
- Risks from third-party ICT providers must be monitored actively.
Impact
DORA delegates regulatory enforcement to authorities in EU member states, who can determine civil and criminal penalties. Critical ICT providers will be monitored directly by EU European Supervisory Authorities (ESAs), who can impose fines of 1% of the provider's average daily worldwide turnover, with penalties applied every day for up to six months until compliance obligations are met.
6. NIS2
The EU's 2016 Directive on Network and Information Security (NIS) has been updated under the NIS2 Directive, enacted in 2023. The directive aims to improve cybersecurity for essential services vital to society and the economy, such as energy, water, transportation, healthcare, banking, financial markets and digital infrastructure. All EU states must enact NIS2 into law by October 17, 2024.
NIS2 requires EU member states to enhance their cybersecurity by taking measures such as organizing a Computer Security Incident Response Team (CSIRT), establishing an NIS authority, cooperating in information sharing with other member states and building a culture of security across essential sectors. NIS2 includes guidance on:
- Risk analysis and information system security
- Incident management
- Business continuity
- Supply chain security
- Security in acquiring, developing, and maintaining network and information systems
- Evaluation of the effectiveness of risk management policies and procedures
- Implementing cyber hygiene practices and cybersecurity training
- Cryptography and encryption policies and procedures
- Human resources security
- Multi-factor authentication and continuous authentication and secure communications
Impact
Non-compliance can incur fines of up to 10 million EUR or 2% global annual turnover for essential entities and up to 7 million EUR or 1.4% global annual turnover for important entities. Management may incur liability and bans and services may be suspended.
Prepare for New Cybersecurity Regulations with Pentesting Services
Today's new cybersecurity regulations obligate organizations to adopt proactive policies toward testing, mitigating, and disclosing vulnerabilities. You need to anticipate attacks before they happen, implement effective preventive measures, and respond rapidly to emerging incidents.
Penetration testing can help your organization achieve compliance with today's tougher regulatory requirements. Cobalt's pentest as a service (PtaaS) platform gives you on-demand access to experts who can conduct end-to-end security testing across your network's entire attack surface. Our expert-led offensive security services help you keep up with compliance requirements by providing audit-quality attestation reports tailored to any regulatory specifications that apply to your organization.
FAQ
Several new cybersecurity regulations are impacting organizations globally.
- SEC Cybersecurity Incident Disclosure Rules (US): Requires publicly traded companies to disclose material cybersecurity incidents within four business days and provide detailed information about their cybersecurity risk management, strategies, and expertise.
- PCI-DSS 4.0 (Global): Updates the Payment Card Industry Data Security Standard, shifting to a more flexible, outcome-based approach, emphasizing continuous security monitoring, and strengthening cloud security, MFA, encryption, and vendor due diligence.
- PSTI Act (UK): Focuses on the security of consumer connected devices, requiring unique passwords, transparency about security updates, and a public point of contact for security researchers to report vulnerabilities.
- Cyber Resilience Act (CRA) (EU): Proposed legislation to enhance cybersecurity for products with digital elements, covering their entire lifecycle and supply chain, with requirements for vulnerability management, risk assessments, and incident reporting.
- Digital Operational Resilience Act (DORA) (EU): Strengthens IT security for financial institutions, requiring robust ICT risk management frameworks, third-party risk management, mandatory penetration testing, and incident reporting.
- NIS2 Directive (EU): Updates the Directive on Network and Information Security, aiming to improve cybersecurity for essential services, requiring risk analysis, incident management, supply chain security, and cybersecurity training.
At a fundamental level, penetration testing plays a crucial role in meeting the requirements of these regulations by:
- Identifying vulnerabilities: Simulating real-world attacks to uncover security weaknesses in systems, networks, and applications.
- Validating security controls: Assessing the effectiveness of existing security measures in preventing and mitigating potential attacks.
- Demonstrating compliance: Providing evidence of proactive security testing and vulnerability management efforts to regulatory authorities.
- Meeting specific requirements: Fulfilling mandatory penetration testing requirements, such as those stipulated in DORA for financial institutions.
- Improving overall security posture: Helping organizations strengthen their defenses and reduce their risk of cyberattacks.
Key changes in PCI-DSS 4.0 include an outcome-based approach, continuous security monitoring, enhanced cloud security, stricter testing and validation, expanded vendor due diligence, emphasis on security training, and improved incident response preparedness. These updates aim to address advanced threats, insider risks, and ensure comprehensive security across all environments.
The CRA aims to:
- Enhance cybersecurity for products with digital elements (PDEs)
- Extend cybersecurity obligations to the supply chain
- Improve vulnerability management
- Mandate risk assessments
- Strengthen enforcement and penalties
NIS2 provides comprehensive guidance on various aspects of cybersecurity, including risk analysis, incident management, business continuity, supply chain security, and integrating security throughout the information systems lifecycle.
It emphasizes regular evaluation of risk management effectiveness, promoting good cyber hygiene and training, implementing strong cryptography, addressing human resources security, and enforcing multi-factor authentication and secure communications. For more details, visit NIS2 Requirements.
Other key agencies include the National Institute of Standards and Technology (NIST), which develops cybersecurity standards and guidelines; the Federal Trade Commission (FTC), which enforces cybersecurity practices for consumer protection; and the Securities and Exchange Commission (SEC), which oversees cybersecurity disclosures for publicly traded companies.
The NCSC is part of GCHQ and plays a central role in enhancing cybersecurity in the UK, providing guidance, support, and incident response capabilities to businesses, government, and individuals.
Additionally, both the EU and UK have other regulatory bodies and frameworks, such as the GDPR and NIS Directive in the EU and the Data Protection Act and Network and Information Systems Regulations in the UK, that contribute to the overall cybersecurity landscape.
Sources and related content