What to look out for when it comes to cybersecurity regulations in 2024
It’s been another busy year for cybersecurity regulations. We saw a new National Cybersecurity Strategy by the White House in March, and throughout the year, we’ve seen the National Cybersecurity Center (NCSC) launch several new initiatives to increase cyber resilience.
As mentioned by Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea, the landscape of cybersecurity compliance is expected to "evolve significantly, driven by emerging technologies, evolving threat landscapes, and changing regulatory frameworks."
Cybersecurity is in the spotlight more than ever before. The UK and US governments have significantly increased their focus on cybersecurity as a strategic national issue. So, with new cybersecurity regulations expected to be introduced and existing ones set to be expanded, what can we expect in 2024?
Carson believes that with the evolving threat landscape, more countries and regions are going to adopt pre-existing cybersecurity and privacy regulations that have already been adopted in other parts of the world.
"Privacy regulations like the GDPR [General Data Protection Regulation] and CCPA [California Consumer Privacy Act] have set the stage for stricter data protection requirements. We can expect more regions and countries to adopt similar regulations, expanding the scope of compliance requirements for organizations that handle personal data."
Kelly Ahuja, CEO at Versa Networks, believes that established forms of international privacy laws for data protection mean the way organizations use the cloud will completely change..
"In 2024, data sovereignty will drive the creation of private, localized infrastructure and operations to comply with these regulations, challenging the traditional approach of a cloud-delivered model that has data exported out of country."
The impact of cyberattacks in today’s world means that the risk can no longer be ignored by governments worldwide. Aaron Kiemele, CISO at Jamf, believes that we are going to see more regulations in 2024 as “governments worldwide recognize the economic and national security risks of cyber threats”, however, they will vastly differ depending on the region.
“In the US, industry-specific cybersecurity regulations will continue to be implemented at the state rather than federal level. While not as stringent as some global regulations, threats like ransomware will push more states to follow New York’s model requiring minimum security standards.
"In contrast, European and APAC countries are likely to see expanded nationwide cybersecurity compliance requirements. Organizations in those regions will need to commit resources to meet the new regulatory bar for technology, staffing, and reporting."
As well as more region-specific regulations, Sabeen Malik, VP Global Government Affairs and Public Policy at Rapid7, expects to see more real-time information sharing within global public-private cyber partnerships.
"Instead of just sharing the usual threat intelligence of cyber threats and cyber risks, governments and businesses will join hands to share threat intel, resources and bolster defenses in concentrated ways to deal with specific threats," said Malik.
"Ultimately, moving beyond the historical PPP’s of quarterly meetings, to a more real-time sharing approach in order to deal with the diminishing timelines between initial entry vectors to final stage payloads."
This year has also been extremely unique when it comes to regulations thanks to the explosion of AI.
Sabrina Gross, Regional Director of Strategic Partners at Veridas, argues that more safeguards around AI will be introduced.
"In 2024, safeguards will begin to focus on how accurately AI performs -- especially when these systems do not have enough information or lack clear instruction.
"There will be a crackdown on AI hallucinations, this includes those created by mistake and those with malicious intent, and safeguards around overwriting AI decisions, which is particularly important in medical and judiciary systems."
Paul Brucciani, Cyber Security Advisory at WithSecure, said "The strict rules of the EU’s AI Act will have a big global impact, far more so than the non-mandatory guidelines of the US AI Bill of Rights."
Governments worldwide are now rushing to implement regulations and frameworks to ensure AI is used safely. While the responsible use of AI is important, rushing to implement AI regulations will create more problems than it will solve.
John Pritchard, CPO at Radiant Logic, says there’s a fine line between safeguards and stifling innovation when it comes AI regulations. He argues that "regulations should balance protections without creating a regime that entrenches large tech incumbents."
Pritchard goes on to say: "Regulations in these areas can help build needed protections, we just need to be careful however that we do not stifle the innovation process. Many recent regulatory announcements impose compliance or reporting requirements that significantly limit small companies and the open-source community, key participants in ensuring a healthy ecosystem."
Patrick Ragaru, CEO at Hackuity, thinks that governments will look towards technology companies to strike this balance.
"There is a challenging, and changing, equilibrium between safeguarding consumers, fostering business growth, and advancing technology," said Ragaru. "Expect governments to work closely with tech experts and the private sector to draft flexible, forward-thinking laws. For businesses, it's all about keeping up and staying smart."
It’s not just the challenge of getting the right balance but also the fact that such regulations take years to pass. "It will take years for agreements to be reached on AI security standards and those that are defined will represent the minimum capability that standard-setters consider to be generally appropriate, rather than an aspirational capability," said WithSecure’s Brucciani.
When it comes to cybersecurity, it is also crucial that organizations don’t see complying with regulations as job done. "Compliance isn’t just about checking off a long ‘to-do’ list," said Hackuity’s Ragaru.
Fundamentally, it means going above and beyond. Don’t see cybersecurity regulations as the maximum rather the minimum of what can be done. Max Vetter, VP of Cyber at Immersive Labs, argues that organizations should be prioritizing security.
"High-profile examples of the past year, like the MGM breach and the SolarWinds CISO lawsuit, should provide a springboard for security and IT leaders to prioritize workforce cyber resilience in 2024 rather than merely prioritizing compliance. The bottom line is that the most compliant organizations are not necessarily the most secure ones."
For Pedro Fortuna, Co-Founder and CTO at Jscrambler, organizations need to be ready for the evolution of standards and looks at PCI v4.0 as particularly point in case.
"The new year marks the time to act, as it brings us closer to PCI v4.0 taking mandatory effect in 2025. There will be a transition from standards research and technology budgeting to vendor research, selection, and implementation to meet the new requirements."
When it comes to regulations, 2023 has been a year of education, but much of 2024 will be about strengthening regulations and ensuring compliance. However, complying with regulations doesn’t mean you are automatically secure. It doesn’t matter if regulations are changed or new ones are introduced, they should always be seen as the bare minimum to ensure cyber resilience.
Image credit: BeeBright/depositphotos.com
Robin Campbell-Burt is CEO at Code Red.