Luke Dash, CEO of ISMS.online, explains how to navigate the increasingly complex data protection and cybersecurity compliance landscape.
It is clear that regulators are ramping up their efforts to hold organisations accountable for failing safeguard consumer data, with several prominent cases involving hefty penalties having made headlines in recent times.
Following the revelation late last year that major consumer credit rater Equifax was fined £11 million for its involvement in one of the largest cybersecurity breaches in history, there has been a steady stream similar breaches and penalties in 2024. In the US, for example, the Intercontinental Exchange was recently hit with a $10 million penalty from the Securities and Exchange Commission (SEC) for failing to inform the authorities about a cyber intrusion.
Critically, such penalties have become incredibly commonplace for enterprises of all shapes and sizes. In fact, according to ISMS.online’s ‘State of Information Security’ report, over 99% of UK businesses have received substantial fines for data breaches or violations of data protection rules in the last year.
Undoubtedly, this is a problem. Today, companies not only contend with the threat of cyber attackers wreaking havoc with ransomware or tarnishing their reputation through data breaches. Equally, they now also face the pressing prospect of substantial fines for noncompliance.
Clearly, the most obvious solution to address both birds with one stone is to align with the compliance demands set out by regulators. By adhering to the best practices advised, firms will be well placed to ensure that they mitigate the risks of an evolving threat landscape while equally avoiding potential fines. However, this is, of course, easier said than done.
The reality is that many businesses are struggling to align with a growing array of increasingly demanding IT and security frameworks and legislation. The 99% is no coincidence. Indeed, in ISMS.online’s latest report, regulatory compliance was cited as a hurdle by 32% of respondents (up from 27% in 2023), making it the joint second most common challenge – behind vendor and third-party risk (38%), and alongside skills shortages.
DORA, NIS2 and The Cyber Security and Resilience Bill
Critically, it is the growing scale and complexity of industry regulations that is providing cybersecurity teams with headaches.
The vast amount of legislation affecting organisations, along with its rapid evolution and frequent updates, makes both achieving and sustaining compliance difficult. Furthermore, these regulations demand diverse technical and organisational standards that are often inconsistent with one another.
We see this in the case of both the Digital Operational Resilience Act (DORA) and the latest iteration to the Network and Information Security Directive (NIS2).
DORA
Financial entities that are expected to be compliant with DORA by early 2025 face a major challenge in the form of third-party due diligence – a key component of the regulations that is emphasised in Chapter V, ‘Managing of ICT Third Party Risk’. This section mandates that potential new vendors undergo risk assessments, and institutions establish standard internal procedures to manage these risks. In essence, the goal is to safeguard the security of institutions and their data, even if a third party is compromised.
This requirement is highly relevant. Indeed, according to the ISMS.online report, 79% of businesses experienced an information security incident caused by a third-party vendor or supply chain partner in the past year – an increase of over 20%. However, that doesn’t mean that adapting to these regulations will be easy.
With DORA demanding the increased scrutiny of relationships with service providers, those providers may need to comply with additional information, auditing, and access obligations to operate within the financial sector. Financial services firms, meanwhile, need to stay on top of this, potentially ensuring that all their partners and suppliers are vetted in detail to be compliant themselves.
NIS2
NIS2, meanwhile, came into effect in 2023, having been developed to enhance the protection of critical infrastructure within EU member states by preventing, detecting, and responding to cybersecurity incidents.
As an update to the previous NIS guidelines, one of the core changes in NIS2 is the expanded scope of the regulations that now apply to entities in additional vital sectors. This includes providers of digital services like search engines and cloud computing services.
Further, it also requires a variety of heightened measures, spanning risk analysis and information system security policies, incident handling protocols, business continuity plans, cybersecurity testing and auditing procedures, supply chain and network security measures, cryptography and encryption.
Again, the expanding scope of these regulations provides additional compliance challenges to a broader array of enterprises.
The Cyber Security and Resilience Bill
We also have UK’s Cyber Security and Resilience Bill which was proposed in the King’s Speech and is due to be introduced into Parliament in the coming months. The bill “will strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure” and comes as an increased cyber threat faces organisations.
The bill also looks to expand the scope of current NIS Regulations 2018 “to protect more digital services and supply chains”, mandate increased incident reporting, and strengthen the powers of regulators to investigate and mitigate cyber threats. With this bill coming into play, there will be even more regulation for businesses to contend with as the UK appears to be diverging from NIS2 and taking it one step further.
How can firms effectively bridge the compliance gap?
For many firms, having the necessary resources, expertise, time, and budgets to continuously monitor, adapt, and adhere to the ever-changing landscape of regulatory requirements is unrealistic. Perhaps for that very reason, 65% of respondents to ISMS.online’s survey find that the rapid pace of regulatory change makes it harder to comply with information security best practices.
Nonetheless, the compliance burden is not expected to ease any time soon. As threats continue to evolve, the regulatory demands on businesses to protect themselves are only expected to intensify.
Therefore, it is imperative for companies to find sustainable ways to maintain compliance, with outsourcing emerging as an attractive, viable, and cost-effective option.
Encouragingly, we see that great intent to bridge the existing compliance gap. Indeed, 59% of respondents say they’re planning to increase spending on these programmes over the coming year, with a fifth (19%) set to ramp up investment by over 25%.
Further, the motivation is sound. Just 19% of respondents say that compliance ambitions are driven by the avoidance of penalties, with more common motivating factors cited including the need to remain competitive (34%), increase customer demand (34%), and protect business (30%) and customer (29%) information. In addition, 27% also cite the prospect of entering new markets and supply chains as a motivating factor.
While all of the above is true, there are also many other potential merits of cybersecurity compliance. Looking at ISMS.online’s respondents’ experiences, some of the most significant returns seen from investing in compliance programmes in the last year have included improving business reputation as a secure and reliable entity (34%), cost savings from a reduced number of cybersecurity incidents (30%), time savings from more efficient security processes (29%), and greater appeal to investors looking for low risk companies (28%).
In this sense, the merits of investing in compliance are both abundant and clear. By adhering to best practice frameworks, firms can establish a solid foundation that builds trust among customers, shareholders, regulators, and other stakeholders.
And compliance no longer needs to be perceived as a daunting task. It doesn’t have to be lengthy or laborious. Importantly, this isn’t a challenge that firms need to tackle alone. With the right guidance, expertise, software, and tools, the process can become significantly easier and more streamlined.
Indeed, help is readily available to make the journey smoother and more manageable for businesses.
