Global cybersecurity compliance integrity | Deloitte US has been added to your bookmarks.
Global cybersecurity compliance integrity
A daunting but manageable challenge
Establishing an effective cybersecurity program is a major challenge for every company regardless of industry and geography. However, the challenge is much greater for businesses that operate internationally since they must comply with regulations from multiple jurisdictions and multiple regulators.
- A daunting global challenge
- More similar than different
- Examples of regulatory similarities
- Get in touch
- Join the conversation
A daunting global challenge
Given how rapidly cybersecurity threats emerge and change, it can be hard for companies and regulators to keep up. The challenge is especially difficult for global companies, which must constantly combat an endless stream of cybersecurity threats while demonstrating regulatory compliance in all jurisdictions in which they operate.
Companies based in countries that already impose rigorous cyber integrity requirements may have an edge because they have already done a lot of the hard work necessary to clear a very high bar. On the other hand, companies based in countries with less rigorous requirements are most likely behind on the compliance maturity curve and may thus need to do more work to catch up.
More similar than different
Fortunately, there are a variety of factors that combine to make the global compliance challenge less daunting. Regardless of jurisdiction, most cyber regulations focus on the same or similar types of issues. Also, they tend to have similar objectives and tactics, which include requiring companies to:
- Use a risk-based approach to understand the cybersecurity threats they face, and to implement a cybersecurity program that effectively addresses those threats
- Establish a governance structure to drive accountability for the overall cybersecurity program
- Identify systems that are subject to enhanced security controls
- Monitor information systems for a breach or attempted breach of security
- Implement formal incident and escalation programs to identify and respond to breaches, and to notify regulators and affected individuals in a timely manner
- Periodically testing the cybersecurity program
Examples of regulatory similarities
Around the world, various jurisdictions have established their own unique regulations for cyber integrity in banking. This example looks at three of the more prominent regulations—along with an industry standard—to illustrate how hidden commonalities can ease the task of global compliance.
- MAS TRM and Notice 644: Notice on Technology Risk Management1 (Singapore). This notice is issued pursuant to section 55 of the Banking Act (Cap. 19) (the “Act”) and applies to all banks in Singapore.
- Interagency Guidelines Establishing Information Security Standards (12 CFR Part 302) (United States). Regulatory agencies are considering applying enhanced standards to certain entities with total enterprise-wide consolidated assets of $50 billion or more.
- NYDFS Cyber Rule (23 NYCRR 5003) (New York). This rule stipulates that each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework4. A framework for improving critical infrastructure cybersecurity.
1 Monetary Authority of Singapore (MAS) Notice 644.
2 Federal Register Proposed Rules for: Office of the Comptroller of the Currency, 12 CFR Part 30 [Docket ID OCC–2016–0016] RIN 1557–AE06, Federal Reserve System 12 CFR Chapter II [Docket No. R–1550] RIN 7100–AE 61, Federal Deposit Insurance Corporation, 12.
3 New York State Department of Financial Services Proposed 23 NYCRR 500.