US cybersecurity compliance requirements by industry
Cybersecurity is important for all industries to protect sensitive information and customer data. Different industries have different regulations that they must comply with depending on the type of data they use and store. Read on to learn more about some of the cybersecurity regulations in some regulated industries.
Financial cybersecurity regulation and compliance
The financial sector has some cybersecurity requirements that are set by federal and state regulators. The most common requirements are those contained in the Federal Financial Institution Examination Council (FFIEC-IT) manual.
This rulebook consists of a series of brochures that contain resources and requirements that are expected of financial institutions. There are also various guidelines issued by financial regulators.
An example of this is the Office of the Currency Auditor (OCC), which has issued guidelines on third party risk management. These instructions apply to all organizations that fall under their responsibility.
Retail Cybersecurity Regulations and Compliance: PCI DSS
The retail sector is not regulated nationwide, but has regulations that are set out in the Payment Card Industry Security Council's Data Security Standard (PCI DSS). This group issues security standards that must be followed by any organization that processes card payments or stores payment card information, including all retailers who conduct credit card transactions.
Failure to comply with PCI DSS compliance could result in fines ranging from $ 5,000 to $ 100,000 per month from your credit card company. Also, you could lose your merchant's account with your bank.
Healthcare Cybersecurity Regulations and Compliance: HIPAA
The best-known standard for healthcare cybersecurity compliance is the Health Insurance Portability and Accountability Act. HIPAA sets the cybersecurity standards for healthcare organizations, insurers, and third-party vendors that medical organizations work with.
This standard enforces the protection of personal health information (PHI) that patients make available to their medical service providers both digitally and in other forms.
Department of Defense Cybersecurity Regulations and Compliance: DFARS and CMMC
Due to the sensitive information that the Department of Defense holds regarding national security, companies in their supply chain must meet the cyber requirements established in the EU as a condition for the provision of a service for the US Department of Defense (DFARS) (Defense Federal Acquisition) Regulation Supplement) and procedural instructions and information (PGI).
DFARS describes cybersecurity standards that third-party vendors must meet and comply with before doing business with the DOD to protect sensitive defense information. In addition to DFARS, a new set of rules called Cybersecurity Maturity Model Certification (CMMC) is currently being introduced.
Due to the strict guidelines of these federally mandated requirements, many DoD contractors work with a company that specializes in IT services for DoD contractors to keep abreast of changes and remain eligible for DoD contracts.
Consumer data cybersecurity regulations and compliance
Currently, 47 out of 50 states have cybersecurity compliance requirements in place so that businesses can notify states of security breaches that have compromised customer data.
For example, if your company stores sensitive personal information about customers, such as social security numbers, bank account numbers, or payment card information, and you discover a breach, you need to notify those affected. The Federal Trade Commission (FTC) can also penalize organizations that fail to adequately protect consumer data.
Insurance cybersecurity regulations and compliance
While regulations for insurance departments and companies can vary from state to state, many have set requirements to protect consumer information. Interest in further regulations in this area has also increased.
The New York State Treasury Department (DFS) recently proposed new cybersecurity regulations for both financial organizations and insurance companies.
Energy cybersecurity regulations and compliance
The Federal Energy Regulatory Commission (FERC) has the power to establish cybersecurity regulations for a number of different electricity companies and operators. The standards are created by a non-profit agency called North American Electric Reliability Corporation (NERC), and the regulations are known as Critical Infrastructure Protection (CIP) standards.