Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Get Wise to These 5 New Cybersecurity Laws

Laws are often passed when a situation becomes so dire that legislators feel the need to step in and apply some teeth. And when it comes to combating cybersecurity incidents, there seems to be no shortage of global legislative and regulatory reaction to the ongoing procession of headline-grabbing data breaches and attacks affecting organizations around the world. Major security events have been occurring for more than a decade, but as global connectivity and reliance on IT systems rises, the perilous consequences of these incidents continue to expand.

Here is a breakdown of five measures - two in the United States, one in the European Union, one in Australia and one in China - that are likely to impact you in the not-too-distant future, if they haven't already. Get your compliance and legal teams ready.

1) New York State Department of Financial Services Regulation (23 NYCRR 500) 

Current status: Effective as of March 1, but full compliance not required for 18 months

What's it all about? New York state enacted a prescriptive law affecting banks and insurers (with greater than 10 employees) doing business within its borders. With New York serving as a primary hub for global finance, the requirements are certain to have ripple effects around the world.

In addition, the regulation is expected to serve as a model for other states, much like California's trailblazing S.B. 1386 did data for data breach notifications. Among other provisions, the New York state law requires that "covered entities": 

  • Designate a CISO (who can be employed by an affiliate or third-party provider).
  • Conduct a periodic risk assessment, including of outside vendors, which are the sources of a growing number of breaches. For example,  law firms
  • Detect security events.
  • Perform annual penetration testing and bi-annual vulnerability assessments of information systems.
  • Ensure secure development practices for application development.
  • Restrict and review user access privileges to only those systems that access non-public information.
  • Limit data retention.  
  • Establish a written incident response plan. 
  • Use "qualified" security personnel, which can include third-party providers, to manage risks and core security functions.

What's next? Covered entities also are required to attest to annual compliance. More details can be found  here (PDF).

2) The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

Current status: Becomes law May 2018

What's it all about? The goal of the regulation, which affects all businesses operating in the EU, is to harmonize data protection laws across the 28 member states and "make Europe fit for the digital age." The GDPR aims to "give citizens back control over of their personal data, and to simplify the regulatory environment for business." The regulation will place a clear onus on businesses that collect and manage the personal information of EU citizens to protect that information from misuse.

What's next? Businesses are racing to comply with the new regulation - or risk being sued.

>>Learn how Trustwave Risk Assessment Services can guide you toward the best business decisions that balance both security and compliance.

3) The Cybersecurity Disclosure Act of 2017 (S. 536)

Current status: Introduced in the U.S. Senate

What's it all about? We all know the security skills shortage is an issue for IT departments. But did you know the conundrum also extends to boards of directors? New proposed legislation from Democratic Sen. Mark Warner of Virginia would require boards of directors at public firms to disclose to the Securities and Exchange Commission if one of their members has security expertise. If they are unable to disclose that, they must explain how they are compensating for this shortcoming. Consumer advocates have reportedly voiced support for the measure as calls for boardroom accountability on security issues grows.

What's next? This one has far less certainty than the others included in this list. The bill is expected to come up for a vote at an undetermined date.

4) Privacy Amendment (Notifiable Data Breaches) Bill 2016

Current status: Passed both houses of the Parliament of Australia in February, expected to take effect in February 2018

What's it all about? Organizations will be required to notify the Australian privacy and information commissioner if they experience a breach and affected individuals are at "risk of serious harm" due to the disclosure of sensitive data.

What's next? This bill has been many years in the works, but now organizations must study the measure and prepare for what, when and how they would disclose in the event of a breach. More details can be found here.

5) The People's Republic of China Cybersecurity Law

Current status: Adopted last year, expected to take effect June 1

What's it all about? All eyes are on this measure, as many governments and corporations don't quite know what to expect when it takes hold. Specifically the law calls for critical infrastructure protection under the guise of national security, but it has been met with strong foreign opposition and confusion from companies and human rights groups - mainly over fears of further internet regulation and concerns that businesses that operate in the country will be forced to turn over sensitive information for storage in mainland China. The law is unofficially translated to English here.

What's next? The compliance groups at global companies are diligently working to determine how they can meet the new law.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.  

Latest Trustwave Blogs

Unveiling the Latest Ransomware Threats Targeting the Casino and Entertainment Industry

Anyone who has visited a casino knows these organizations go to a great deal of expense and physical effort to ensure their patrons do not cheat. Still, there is a large group of actors who are...

Read More

Third-Party Risk: How MDR Offers Relief as Security Threats Abound

While third-party products and services are crucial to everyday business operations for almost any company, they also present significant security concerns, as high-profile attacks including...

Read More

Trustwave Takes Home Comparably Best Company Outlook for 2024 Award

Comparably, a leading workplace culture and compensation monitoring employee review platform selected Trustwave to receive its Best Company Outlook for 2024 Award. This award marks the seventh time...

Read More