<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Cybersecurity Compliance: Regulations For 7 Industry Sectors

Jake Olcott | February 9, 2017

Over the last 5-10 years, we’ve seen a major uptick in the number of regulations across all sectors regarding cybersecurity. The following is a brief look at how cybersecurity regulations have been implemented across seven sectors and divisions.

Cybersecurity Compliance: Regulations For 7 Industry Sectors

Financial

security

The financial sector has a number of cybersecurity requirements set by federal and state regulators. The most common set of requirements is found in the Federal Financial Institution Examination Council handbook, or FFIEC-IT. That body is comprised of a number of booklets that contain resources and requirements financial institutions are expected to adhere to. There are also a number of different guidances that financial regulatory bodies put out. An example is the Office of the Comptroller of Currency (OCC), which has put out guidance on third-party risk management. That guidance is issued to all organizations that fall under their oversight.

Retail

The retail sector isn’t federally regulated, but it does follow regulations from the Payment Card Industry Security Council’s Data Security Standard (or PCI DSS). This group issues security standards that any organization that processes payment cards or holds payment card data is required to follow.

Healthcare

The best-known standard for cybersecurity compliance healthcare is the Health Insurance Portability and Accountability Act. HIPAA establishes cybersecurity standards for healthcare organizations, insurers, and the third-party service providers medical organizations do business with.

Defense

As a condition of providing a service to the U.S. Department of Defense (DOD), businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI). DFARS outlines cybersecurity standards a third party must meet and comply with prior to doing business with the DOD in order to protect sensitive defense information.

Consumer Data

Currently, 47 out of 50 states (and the District of Columbia) have enacted cybersecurity compliance requirements for organizations to notify states about security breaches that compromise customer data. For instance, if your company holds sensitive personal information about customers—like social security numbers, account numbers, or payment card information—and you experience a breach, you’re obligated to notify those affected. The Federal Trade Commission (FTC) can also penalize organizations for failing to adequately protect consumer data.

Insurance

While regulations for insurance departments and companies vary state by state, many have issued requirements to protect consumer information. Furthermore, we’ve seen increased interest in adding more regulations in this area. In October 2016, the New York State Department of Financial Services (DFS) proposed new regulation around cybersecurity for both financial organizations and insurance companies.

Energy

The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over a number of electric utility companies and operators. The standards are created by a nonprofit authority known as the North American Electric Reliability Corporation (NERC), and the regulations are known as the Critical Infrastructure Protection (CIP) Standards.

Something for all sectors to keep in mind...

While cybersecurity compliance with regulations is a critical goal, ongoing management of cybersecurity—both your own and your vendors’—shouldn’t be understated. Protecting critical data and information is less about the label of compliance and more about creating and adhering to a cybersecurity program.

If you need some tips on how to create a cybersecurity program for your vendors, download this ebook. It covers the questions you need to ask all of your vendors, risk vectors and configurations to keep in mind, and the impact of continuous risk monitoring software.

security-managers-guide-to-VRM

Suggested Posts

Improve IT Vendor Monitoring with Data-Driven Conversations

Businesses are becoming increasingly reliant on outsourced IT services to support day-to-day operations.

READ MORE »

3 Surprising Ways Supply Chain Cybersecurity Can Impact Retailers

Retail operations, whether in-store or online, rely on a long chain of connections between third parties. When attackers target one of these third parties, they can wreak havoc on the supply chain, affecting business operations up and down...

READ MORE »

Streamline Your Bank's Third-Party Vendor Management Risk Assessments

Banks and other financial institutions are a proving ground for new risk management methods. High risk and intense regulations feed into a culture of serious, comprehensive security — a culture that has manifested in mature methodologies...

READ MORE »

Subscribe to get security news and updates in your inbox.