In 2024, the SEC’s new cybersecurity disclosure rules took effect, aimed at providing investors with more consistent and decision-useful information to make informed decisions. For SEC-registered companies, this means they must disclose material cybersecurity incidents and make annual disclosures about their cybersecurity risk management, strategy, and governance – they actually must report their processes for assessing, identifying, and managing cyber risks.
But even if your company is privately owned or a small- or medium-sized business (SMB) not necessarily subject to regulatory cybersecurity rules, it is still likely subject to other regulations that prioritize protecting customer data privacy. An organization’s cybersecurity risk management framework and its technology are key mechanisms for compliance, especially in today’ digitized society where data is everything.
Here’s why a strong cybersecurity posture is so critical for compliance and how Extended Threat Detection and Response (XDR) is a powerful ally in achieving airtight regulatory compliance.
In data security compliance, does size matter?
When attackers manage to exfiltrate sensitive data like individuals’ addresses, phone numbers, and dates of birth, they can use it for identity theft or to compromise and blackmail organizations. Even small organizations have this type of data. Here are some of the key regulations that companies of almost any size are required to comply with:
Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts, transmits, or stores any cardholder data – no matter the size or number of transactions.
Federal Trade Commission’s cybersecurity guidelines, especially those under the Gramm-Leach-Bliley Act, apply to businesses of any size that handle sensitive consumer information, particularly in the financial sector.
Any business that handles Protected Health Information (PHI), regardless of size, must comply with the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.
New York's SHIELD Act applies to any business that owns or licenses computerized data containing private information of New York residents, regardless of size.
National Credit Union Administration (NCUA) Board requires federally insured credit unions to report cyber incidents to the NCUA as soon as possible, and no later than 72 hours after the credit union reasonably believes that it has experienced an incident.
Although the General Data Protection Regulation (GDPR) is a European Union regulation, it applies to U.S. businesses of any size that process the personal data of individuals in the EU.
In its final disclosure rules, the SEC states, under our rules, a registrant (other than an investment company) is considered a “small business” or “small organization” if it had total assets of $5 million or less on the last day of its most recent fiscal year and is engaged in or proposing to engage in an offering of securities that does not exceed $5 million.
Size does not matter when it comes to sound compliance practices
In addition to companies in healthcare, banking, or retail/ecommerce, any company, regardless of size, doing business with government entities are subject to data privacy and cybersecurity rules due to the sensitive nature of the information handled, which often includes classified or controlled unclassified information (CUI). In August 2024, the U.S. Attorney's Office alleged that the Georgia Tech University’s research arm, the Georgia Tech Research Corporation, "failed to meet cybersecurity requirements" on contracts with the Department of Defense.
Moreover, employee benefits managers and retirement plan sponsors, even at SMBs, have a business and personal fiduciary responsibility to safeguard employees' personal and financial information. A cybersecurity incident can rapidly balloon into a fiduciary breach, which often leads to lawsuits, regulatory penalties, and damage to the brand’s reputation.
XDR centralizes security efforts for better compliance
XDR’s superpower is being a fast, proactive, unified security platform. XDR consolidates the functionality of network detection and response (NDR) with endpoint detection and response (EDR) to provide enhanced visibility of the total computing environment. As such, XDR centralizes security efforts for better compliance. A business owner, CISO, or IT leader can see the entire horizon on an alert dashboard that presents all security activity in a single view. Further, the cybersecurity point person will only need to concentrate on actual threats instead of a slew of false positive alerts since XDRs like our own Samurai XDR automatically appraise each alert to determine its relevance.
Cybersecurity compliance is continuous
XDR is an AI and ML-powered analysis monitoring machine that works 24/7 detecting known and unknown threats. It aligns with the continuous nature of compliance. XDR automates anomaly detection and incident response using machine learning and artificial intelligence. Moreover, Samurai XDR’s operational threat intelligence gives the organization information that can be used to develop and implement stronger cybersecurity measures to address new risks to the environment.
XDR’s compliance paper trail
In the same manner a company’s accounting department keeps records in case of an IRS audit, they should aspire to be just as buttoned up in keeping security data. XDR collects data from a variety of sources including system logs and security controls. A powerful XDR solution will provide reports and snapshots of the threats detected throughout the environment that can be used for evidence in a regulatory audit. The information demonstrates to regulators how quickly an organization is detecting and responding to threats.
Everything is data
XDR works by centralizing your data into what security experts call a data lake. Rather than toggling between disjointed information from different systems, Samurai XDR collects all data from all IT infrastructure data into one convenient location so one can get a complete view of threats and alerts, at a moment's notice. Additionally, organizations can improve compliance and avoid violations with compliance mapping, benchmarks, and vulnerability scans against regulatory frameworks like PCI DSS, ISO 27001, and National Institute of Standards and Technology’s (NIST).
In the modern world where everything is digitized, GRC, or governance, risk, and compliance is on the road to becoming absolutely fundamental to business operations. GRC is a broader data security framework where XDR can play a key role.
Regardless of your company’s size or sector, it is wise on many levels to adhere to rules and adopt best practices for cybersecurity risk management and compliance. Even if your organization is not subject to any official cybersecurity regulations, high-performing companies are zealous about cybersecurity and install procedures and technologies to protect their own and their customers’ valuable data – data that is not only new oil but also the new wheel, engine, and road. For a free, handy small business quick-start guide, refer to NIST’s Landmark Cybersecurity Framework.
About the Author:
Greg Garten is the Chief Technology Officer of NTT Security Holdings and Samurai XDR, with 25 years of experience ranging from telco/carrier to advanced technology startup environments, focusing on the creation and delivery of global managed services. Greg has been with NTT for over 10 years, focusing on the engineering and product development of their cybersecurity platforms, products, and services. Greg has also held various engineering and executive roles at companies such as Intuit, Cisco, Silver Lake Sumeru, Exodus Communication, Cybera, and several overseas technology startups and multinational technology companies. He is an active Member IEEE, ISC2, and ISSA.
Takeaways:
New SEC Rules: Companies must disclose cybersecurity incidents and strategies, ensuring transparency for investors.
Universal Compliance: Regulations like PCI DSS and HIPAA apply to businesses of all sizes, making cybersecurity a universal concern.
XDR Advantage: XDR technology enhances cybersecurity compliance by centralizing threat detection and response, ensuring robust data protection.
Bibliography:
U.S. Securities and Exchange Commission (SEC). "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure." SEC.gov, 2024.
Payment Card Industry Security Standards Council. "Payment Card Industry Data Security Standard (PCI DSS)." PCIsecuritystandards.org.
U.S. Department of Health & Human Services (HHS). "Health Insurance Portability and Accountability Act (HIPAA)." HHS.gov.
European Union. "General Data Protection Regulation (GDPR)." EU GDPR.
A. Shaji George, S. Sagayarajan, Dr. T. Baskar, & A. S. Hovan George. (2023). Extending Detection and Response: How MXDR Evolves Cybersecurity. Partners Universal International Innovation Journal, 1(4), 268–285.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...