Cybersecurity laws and legislation (2024 update)
Determining the cybersecurity regulations that apply to your business depends on the industry you operate in, the geographical location of your organization, the location of your clientele, and other factors. Here are some of the most important cybersecurity laws and industry regulations for MSPs, including some that are new in 2024, broken down by region:
The United States
Operating in the United States requires compliance with several laws dependent upon the state, industry, and data storage type.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patient health information. If you provide cloud hosting services to a healthcare provider, you must ensure your systems adhere to healthcare cybersecurity regulations.
The Federal Information Security Modernization Act (FISMA) requires every government agency to develop a method to protect their information systems against cyberattacks. This act was originally passed in 2014, but it was overhauled in 2023 to support more effective cybersecurity methods and improve coordination amongst various federal agencies. MSPs serving state and local governments or federal government agencies need to align their cybersecurity stack with this law to allow their clients to minimize risk exposure and meet their compliance requirements.
The Gramm-Leach-Bliley Act (GLBA) regulates the collection and handling of financial information. Any organization that collects or stores financial data must comply with this law.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards and requirements for companies and merchants that process, store, or transmit cardholder data from trustworthy card schemes such as Visa and Mastercard. Any MSP that processes payment card data must be compliant with this regulation. On March 31, 2024, PCI DSS version 3.2.1 officially retired, and version 4.0 became mandatory, now requiring the use of multi-factor authentication.
In addition, if you have clients in the financial services sector, you may be subject to the New York Department of Financial Services (NYDFS) cybersecurity regulation.
NYDFS regulation is expanding, making it a very important legislative body to MSPs and IT professionals nationwide. Recent additions to the NYDFS regulations require more stringent notification procedures, specifically when it comes to ransomware deployment. These new requirements affect leadership responsibility, stress the importance of sound vulnerability assessments, and elevate the need for incident and disaster response and recovery. While these regulations only apply to the New York jurisdiction now, they could be foreshadowing for other state’s reporting requirements in the near future.
The Executive Order on Improving the Nation’s Cybersecurity, signed in 2021, was created in the wake of several high-profile cybersecurity incidents in the US. The goal was to modernize cybersecurity by implementing protected networks for federal institutions to better respond to cybersecurity incidents and improve collaboration between the public and private sectors. Since its original issuance, the US government has released further plans on how to strengthen cybersecurity resilience. For example, in March 2023, the Biden administration pushed mandatory regulation on critical infrastructure vendors and green-lit a more aggressive “hack-back” approach to dealing with foreign adversaries and ransomware actors.
The Security and Privacy Controls for Information Systems and Organizations covered in NIST SP 800-53 Rev.5 is a set of guidelines issued by the US National Institute of Standards and Technology that regulates how governmental agencies approach cybersecurity. Though geared towards governmental bodies, NIST SP 800-53 Rev. 5 shares many components related to the NIST Cybersecurity Framework, which provides public and private organizations alike with a comprehensive set of best practices for protecting systems from cyberattacks. Building on previous versions, NIST Cybersecurity Framework version 2.0 was published in February 2024 and contains new features that highlight the importance of governance and supply chains. Acknowledging the importance of cybersecurity for small businesses, NIST also published resources specifically tailored to SMBs with modest or no cybersecurity plans currently in place. MSPs can leverage these tools when assisting clients in strengthening their cybersecurity posture.
As of December 18, 2023, publicly traded organizations must comply with the Security and Exchange Commission (SEC) incident disclosure regulations, which were originally unveiled in July 2023. Under the new rules, publicly traded companies will be required to report cybersecurity incidents within four business days of determining that the incident is “material,” meaning it would potentially impact a shareholder’s investment decisions. While many existing government regulations and industry standards have required organizations to establish business continuity and incident response plans in the past, the new SEC rules put more pressure on cybersecurity practitioners than ever before.
As time is of the essence, a well-practiced incident response program will be critical. It’s no longer about having a plan in place; it’s about how well it can be executed, which will require many organizations to depart from their current practices. This offers MSPs additional opportunities to provide services to their client base, as they can offer not only backup and recovery services but also consider delivering incident response tabletop exercises.
The California Consumer Privacy Act (CCPA) is a state law enacted on July 1, 2023. This law protects the personal information of California residents, requiring companies to provide customers with access to and control over their data. Like the GDPR, this legislation applies not only to California-based operations but to any entities seeking to engage with California residents and organizations.
The European Union
The European Union has enacted several data privacy laws to protect the personal information of its citizens. The General Data Protection Regulation (GDPR) is one of the most important regulations to be aware of, as it sets out the requirements for collecting, storing, and processing personal data.
MSPs who operate in the EU must ensure their systems adhere to GDPR standards and be prepared to face hefty fines if found in violation. Some of the key features of the GDPR involve the following:
- Providing clear and transparent information on how data is being collected, stored, and used
- Establishing protocols for responding to data breaches
- Ensuring data is only kept for as long as necessary
The United Kingdom
The Data Protection Act (DPA) is a law in the UK regulating personal data handling. Passed in 2018, it replaces the previous Data Protection Act (1984), which laid out data processing requirements for organizations, including MSPs.
The DPA requires organizations to inform customers about their data handling practices and provide a way for customers to access and delete their data. It also sets out requirements for handling data breaches, preventing unauthorized access, and ensuring secure data disposal.
Cyber Essentials is similar to NIST in the US because it is a government-backed set of cybersecurity standards that organizations are encouraged to follow. In fact, to bid on government contracts, organizations must be certified for Cyber Essentials.
MSPs operating in the UK must also pay attention to new Network and Information Systems (NIS) regulations and its successor, Network and Information Security 2 Directive (NISD2), which replaced the original NIS Directive. The NIS2 Directive introduced new reporting requirements for data breaches and increased fines for non-compliance. NISD2 is getting yet another major update that will be in effect starting October 17, 2024. The expanded NIS2 Directive is the EU’s response to the COVID-19 pandemic and the newly evolved cyberattack landscape.
ASEAN/Oceania
Though ASEAN countries have yet to pass an overarching regulatory framework, the Association of South East Asian Nations announced a Cybersecurity Cooperation Strategy that adopts many vital tenets of the GDPR and DPA. This includes protecting personal data, ensuring secure data storage and disposal protocols, and informing customers of their rights related to cybersecurity.
With a comprehensive framework in place, MSPs can ensure that their cybersecurity practices comply with the laws of each country in the region.
In Australia, there is already a general standard for cybersecurity professionals to follow: the Australian Cyber Security Centre’s Essential Eight. Similar to Cyber Essentials and the NIST Cybersecurity Framework, these are a set of mitigation strategies and controls that help protect Australian businesses from cyberthreats. This primarily focuses on protecting Microsoft Windows-based network connections but can also be applied to other platforms.
The Security of Critical Infrastructure Act 2018 (SOCI) outlines the legal obligations of companies that own, operate, or have direct interests in critical infrastructure assets, including MSPs.
Cybersecurity laws to watch
Governments worldwide continue to pass more stringent cybersecurity laws and regulations as technology evolves. Here are some of the most important laws and legislation for MSPs to focus on.
The EU Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The act would see inadequate cybersecurity features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle. This law is expected to come into effect in Q3 2024.
The Digital Operational Resilience Act (DORA) is an EU regulation that won’t be in effect during 2024, but organizations still need to prepare for it, as it will be applied from January 17, 2025. DORA aims to improve the operational resilience and cybersecurity of financial institutions, including banks, insurance companies, investment firms, payment service providers, and other entities engaged in financial services. The focus is on areas such as risk management, third-party risk management, incident management and reporting, testing of resilience and cybersecurity setups, and information sharing between institutions.
In the US, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed in March 2022. It requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and publish rules for companies providing critical infrastructure, such as the requirement to report covered cybersecurity incidents within 72 hours. The CIRCIA rules are still under review but are expected to be published by CISA in 2024.
How MSPs can adapt to regulatory changes
Adapting to new regulatory changes may seem daunting for MSPs, especially those new in the space. Fortunately, you can do several simple things to adapt to the changing times.
First, an MSP should adopt and adhere to a cybersecurity framework or standards that align with the primary industries they support. For most MSPs, the CIS Controls or NIST Cybersecurity Framework are a great starting point.
From there, ongoing cybersecurity awareness training, inventory management, change management, and regular vulnerability assessments are crucial to any successful cybersecurity program.
Finally, MSPs should create an easy-to-follow incident response plan and ensure that is tested regularly with all employees through tabletop exercises.
Maintaining compliance with the ever-evolving regulatory landscape is integral to running a successful managed service provider business. MSPs must stay abreast of the latest laws and regulations to ensure that their practices remain best practices. Though rules and regulations constantly change, resources such as the Microtech are here to help MSPs stay informed on the latest global developments.
Cybersecurity solutions to tackle new regulations
Ultimately, the cybersecurity regulations outlined here are meant to better the world’s digital experience. While managing compliance with these regulations may seem challenging and cumbersome, there are ways to make compliance within your client’s organization more practical and increase the efficiency of your compliance offering.
Partnering with an experienced MSP software provider is one way you can make regulatory compliance easier. ConnectWise professional service automation tools can handle your reporting and administrative tasks, and our 200+ security operations center (SOC) analysts can help maintain compliance with more complex cybersecurity tasks.