The General Data Protection Regulation (GDPR) recently turned six! Six years of governing the way in which organisations can use, process, and store personal data for the benefit of individuals privacy. However, with recent technological advancements, like AI, coming onto the scene, data protection no longer looks like it did in 2018. In addition, organisations are having to adhere to new regulations or adopt additional frameworks, such as DORA and NIS2, to stay compliant in the cyber security game.
In order to understand this ever-changing regulatory landscape, we spoke to eight cybersecurity experts about the latest developments and how businesses should navigate their way through.
Can regulations keep up with AI?
Although the technological advancements of the modern day are of benefit to businesses and encourage innovation, they also pose a cyber security threat. This threat can be overlooked as organisations get caught up in the excitement of a new development, and before we know it, the technology is advancing before there is a chance to regulate it. In the case of AI, before a regulation is even approved, it has developed even further.
Chris Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise Company, explains this: “The regulatory process is slow, requiring extensive review and validation to provide accurate guidelines for robust cybersecurity. Consequently, regulations often lag behind the latest AI advancements.”
However, it is argued that companies have a duty to be proactive when it comes to ensuring cyber security in this advanced technological landscape. Chris Denbigh-White, CSO at Next DLP, says: “Organisations need to act thoughtfully through a framework whereby they understand the data flows and risks. There’s no reason AI can’t be compliant with the various regulations, but companies need to take the time to get it right.”
Richard Starnes, CISO at Six Degrees, adds to this: “Unfortunately, with the introduction of AI, the slew of new regulations coming into effect will not slow down anytime soon. But, AI also brings with it new challenges. European data protection legislation states if an organisation wishes to make a decision about a person, they must be able to demonstrate how that decision was made; however, with AI it is not possible to query the LLM and ask why it made a particular decision. It is continuously learning, but it doesn’t (and likely doesn’t have the capabilities to) keep track of where it’s learnt from and therefore how it came to that decision.”
What cyber security regulations are round the corner?
Although the race to regulate AI is dominating at the moment, there are several sector specific regulations also in the works to ensure that all organisations remain safe and secure whilst integrating current and future technological developments.
The Digital Operational Resilience Act (DORA), for example, is a regulation by the European Union aimed at strengthening the IT security and operational resilience of financial institutions which is set to come into play next year. It provides a consistent regulatory framework across the EU, reducing fragmentation and improving regulatory clarity for financial institutions operating in multiple EU countries.
Philip Pearson, Field Chief Information Security Officer at Aqua Security, explains what DORA is and what the repercussions could be if financial organisations fail to comply: “Designed to strengthen IT security across a wide range of financial entities, DORA comes into force in early January 2025. It focuses heavily on improving resilience ‘in the event of a severe operational disruption’. Failure to comply can result in penalties of up to 2% of the total worldwide revenue for any organisation found to be in breach. For any business leaders that operate within the parameters set out by GDPR, the jurisdiction rules will have a familiar ring about them, and the UK’s position outside of the EU will, for many organisations, be an irrelevance.”
In addition, the Product Security and Telecommunications Infrastructure (PTSI) Act aims to outline the requirements for Consumer IOT devices in the UK, and will come into effect on 29 April 2024. It aims to create a transparent, accountable, and ethical public service sector. By enhancing transparency and accountability, the act helps reduce corruption and unethical behaviour in public services as well as promoting trust in government institutions by ensuring that they operate in an open and responsible manner. Failure to comply with PSTI imposes legal penalties, including fines, dismissal, and imprisonment for severe breaches.”
Nick Palmer, Solutions Engineer at Censys, explains how this legislation will shift this responsibility: “This legislation is a good start – it’s vital that we create a culture of increasing accountability around cybersecurity standards in manufacturing, and introducing legislation will be a key part of that. It will, at the very least, force manufacturers to start thinking more about security, and take some responsibility for it. The UK’s PSTI Act will shift that responsibility onto the manufacturers.”
Another framework to keep an eye on is the Network and Information Security Directive (NIS2). It is a set of regulations by the European Union aimed at improving the cybersecurity and resilience of critical infrastructure and essential services. They are not legally enforced, however, following soft guidelines helps organisations to be compliant with regulations, both avoiding penalties and ensuring robust cyber security.
Chris Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise Company, discusses what NIS2 is and the benefits of following the guidelines: “Organisations that do adhere to frameworks like NIS2 are likely to align closely with regulatory requirements, as these frameworks encapsulate the core principles of the laws they are based on. By following these guidelines, organisations can better ensure compliance and reduce the risk of regulatory issues, whilst still securely protecting data, even as the AI landscape continues to evolve rapidly. While regulations naturally cannot keep pace with the rapid advancements in AI, frameworks play a crucial role in assisting with data protection to the best extent possible and should absolutely be implemented as part of an organisation’s cybersecurity measures.”
Approaches
With all of these different regulations in play, how do organisations ensure that they are compliant with each one and keep their critical systems and data protected?
Micheal Woolslayer, Policy Counsel, HackerOne, argues that the key is to find vulnerabilities at the early stages, allowing them to be addressed before they cause detrimental damage: “Early vulnerability disclosure helps mitigate potential cyber threats before they escalate into larger security incidents. By requiring manufacturers to provide clear channels for reporting vulnerabilities, the regulation will help to ensure quicker identification and resolution of security flaws, ultimately protecting consumers. Vulnerability Disclosure Programs (VDPs) foster a collaborative environment where security researchers, consumers, and manufacturers work together to enhance product security. ”
Similarly, Jason Keirstead, VP of Collective Defense at Cyware, advocates for a collective defence approach, and breaks down how it can assist organisations: “A collective defence approach to cyber security, which involves organisations working together to share threat information, resources, and strategies to defend against cyber threats, can help organisations meet regulatory requirements more efficiently and uniformly in a number of ways:
- Enhanced threat intelligence
With access to new and emerging threats through a collective defence network organisations can quickly adapt to ensure they are meeting regulatory requirements related to threat detection and response – for example, GDPR and HIPPA both mandate a timely response for the detection and reporting of data breaches.
- Standardised security practises
Collective defence encourages the development and adoption of industry standard security protocols and practices like the NIST framework, which provide a detailed guide to help organisations with their security posture and regulatory compliance.
- Improved incident response
Most regulations require a quick response to data breaches. A collective defence strategy facilitates coordinated incident response efforts which help to both mitigate the impact of breaches and enable organisations to respond more effectively within the required timeframes.
- Continuous compliance monitoring
Collective defence initiatives often include the ongoing monitoring and assessment of security practices, meaning organisations can easily update processes to maintain their compliance on a consistent, regular basis rather than only during times or audit or assessment.”
Staying prepared for whatever the future holds?
Whilst it can be difficult to stay up to date with regulatory developments,monitoring for updates and ensuring compliance with current guidelines can help ensure robust cyber security practices.
As Chris Rogers concludes, “By following guidelines, organisations can better ensure compliance and reduce the risk of regulatory issues, whilst still securely protecting data, even as the AI landscape continues to evolve rapidly. While regulations naturally cannot keep pace with the rapid advancements in AI, frameworks play a crucial role in assisting with data protection to the best extent possible and should absolutely be implemented as part of an organisation’s cybersecurity measures.”
Pingback: The Critical Role of Cybersecurity in Mitigating Financial Risks