The Australian Cyber Security Centre is the government's lead agency for cybersecurity....
Whether your business is global or local, cybersecurity compliance is critical. Meeting cybersecurity compliance certification standards is a great way to signal to your clients and partners that you take their information and data security seriously.
While having protocols in place is always a good idea, in some industries, compliance with cybersecurity regulations is mandatory. Below are some examples of industry-specific cybersecurity regulations, and some that cross disciplinary lines and apply to businesses in any industry.
PCI DSS Cybersecurity Compliance
If your business accepts credit card payments, or if you process or transmit credit card payments, then you may be mandated to comply with the cybersecurity regulations defined by the Payment Card Industry Data Security Standard (PCI DSS). Mandate depends upon the location of your business. The US, for example, does not federally mandate compliance with PCI DSS, while the Australian Government says:
'All Australian businesses that accept card payments need to comply with the PCI DSS regardless of their business size. You can’t partially comply. Your level of compliance will depend on your business situation.'
As the Australian Government lays out, following the PCI cybersecurity compliance standards means that your business will:
- reassure your customers that their card details are secure when they pay you
- maintain customer trust in your business, which is good for your reputation
- show your commitment to improving the shopping experience for your customers and protecting their data
- prevent others from accessing your payment system networks and stealing cardholder data.
To achieve PCI DSS cyber compliance, and to comply with cybersecurity regulations in Australia and elsewhere, your business must:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measure
- Regularly monitor and test networks
- Maintain an information security policy
Even in places where PCI DSS compliance is not mandated by the government, PCI cybersecurity compliance is the industry standard for anyone who accepts payments by card. And as with all cybersecurity standards, compliance just makes good sense, mandate or not.
APRA CPS 234 Cybersecurity Compliance
If your company does business in Australia, whether you are based there or not, you may be subject to the cybersecurity compliance program called APRA CPS 234.
In 2019, the Australian Prudential Regulation Authority (APRA) put forth a new Cross-industry Prudential Standard (CPS) that governs cybersecurity compliance. As APRA explains in their guidance, CPS 234:
Takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats. A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets, including information assets managed by related parties or third parties.
To achieve APRA CPS 234 cybersecurity compliance, a business regulated by APRA must:
- clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals;
- maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
- notify APRA of material information security incidents.
These cybersecurity compliance standards apply to all business entities that fall under the regulation of APRA. According to StickmanCyber, these entities include:
- Banks, credit unions and other authorised deposit-taking institutions (ADIs)
- Superannuation funds
- Life insurance companies
- Friendly societies
- General insurers
- Non-operating holding companies
- Private health insurers.
StickmanCyber also specifies that “It is important to note that from July 1, 2020 onwards, all third parties that handle information assets from the above-listed organisations will also have to comply with CPS 234” and reminds us that “CPS 234 also applies to certain foreign entities.” These include:
- Foreign ADIs
- Foreign General Insurers
- Foreign life insurance companies
So if your business falls into any of these categories, cybersecurity compliance should be a top priority.
NIST Cybersecurity Framework
First developed and adopted by the US government, the National Institute of Standards and Technology (NIST) Cybersecurity Framework is a globally accepted set of cybersecurity regulations that can help any business improve its cybersecurity program. As StickmanCyber explains, “The framework provides a common language for understanding, managing, and expressing cybersecurity risk to all stakeholders, whether that be internal or external.” While the NIST Cybersecurity Framework is mandated for ANY business that does business with the US government, NIST says that “Companies from around the world have embraced the use of the Framework,” including:
- JP Morgan Chase
- Bank of England
- Nippon Telegraph and Telephone Corporation
- Ontario Energy Board
While the framework itself is thorough and detailed, the ideology behind it is clear and relatively easy to follow (though every business can benefit from expert help to ensure they meet the NIST cybersecurity compliance standards). As NIST explains:
The Framework not only helps organizations understand their cybersecurity risks (threats, vulnerabilities, and impacts) but how to reduce these risks with customized measures. The Framework also helps them respond to and recover from cybersecurity incidents, prompting them to analyze root causes and consider how they can make improvements.
Within the framework, NIST asks that organizations approach cybersecurity by creating a plan to:
- Protect from,
- Respond to, and
- Recover from cyber attacks
If your company does business with the US government, you are obligated to meet NIST cybersecurity compliance requirements. If your company doesn’t, it’s still a terrific framework to follow to make sure that you are meeting widely-accepted cybersecurity standards, and keeping your company’s, and your client’s data secure.
Whether it is mandated or not, and regardless of industry, your organization needs a framework in place to ensure cybersecurity compliance.
Ensure that your business is compliant with all necessary cybersecurity frameworks and regulations, year-on-year, with proven methodologies and an expert team. Learn more about cybersecurity compliance here.