Global cybersecurity compliance integrity

A daunting global challenge

Given how rapidly cybersecurity threats emerge and change, it can be hard for companies and regulators to keep up. The challenge is especially difficult for global companies, which must constantly combat an endless stream of cybersecurity threats while demonstrating regulatory compliance in all jurisdictions in which they operate.

Companies based in countries that already impose rigorous cyber integrity requirements may have an edge because they have already done a lot of the hard work necessary to clear a very high bar. On the other hand, companies based in countries with less rigorous requirements are most likely behind on the compliance maturity curve and may thus need to do more work to catch up.

Back to top

More similar than different

Fortunately, there are a variety of factors that combine to make the global compliance challenge less daunting. Regardless of jurisdiction, most cyber regulations focus on the same or similar types of issues. Also, they tend to have similar objectives and tactics, which include requiring companies to:

• Use a risk-based approach to understand the cybersecurity threats they face, and to implement a cybersecurity program that effectively addresses those threats
• Establish a governance structure to drive accountability for the overall cybersecurity program
• Identify systems that are subject to enhanced security controls
• Monitor information systems for a breach or attempted breach of security
• Implement formal incident and escalation programs to identify and respond to breaches, and to notify regulators and affected individuals in a timely manner
• Periodically testing the cybersecurity program
  

Back to top

Examples of regulatory similarities

Around the world, various jurisdictions have established their own unique regulations for cyber integrity in banking. This example looks at three of the more prominent regulations—along with an industry standard—to illustrate how hidden commonalities can ease the task of global compliance.

• MAS TRM and Notice 644: Notice on Technology Risk Management¹ (Singapore). This notice is issued pursuant to section 55 of the Banking Act (Cap. 19) (the “Act”) and applies to all banks in Singapore.
• Interagency Guidelines Establishing Information Security Standards (12 CFR Part 30²) (United States). Regulatory agencies are considering applying enhanced standards to certain entities with total enterprise-wide consolidated assets of $50 billion or more.
• NYDFS Cyber Rule (23 NYCRR 500³) (New York). This rule stipulates that each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems.
• National Institute of Standards and Technology (NIST) Cybersecurity Framework⁴. A framework for improving critical infrastructure cybersecurity.

¹ Monetary Authority of Singapore (MAS) Notice 644.

² Federal Register Proposed Rules for: Office of the Comptroller of the Currency, 12 CFR Part 30 [Docket ID OCC–2016–0016] RIN 1557–AE06, Federal Reserve System 12 CFR Chapter II [Docket No. R–1550] RIN 7100–AE 61, Federal Deposit Insurance Corporation, 12.

³ New York State Department of Financial Services Proposed 23 NYCRR 500.

⁴ https://www.nist.gov/cyberframework

Back to top