May 20, 2024

Regulatory and Compliance Challenges in InfoSec: A U.S. Forecast for 2024-25

Compliance violations reached unprecedented levels in 2023, racking up over $10 billion in penalties worldwide. This staggering amount of financial loss serves as a wake-up call for businesses to prioritize compliance and rethink their security strategy to avoid financial fallout and reputational risks.

As we approach 2025, security and compliance professionals need to stay alert to combat emerging regulatory threats. Let’s explore some of the key challenges in the U.S. and how you can mitigate them.

The Evolving Regulatory Maze

The U.S. Information Security (InfoSec) regulations keep changing in response to emerging threats and technological advancements. Recently, NIST released the CSF 2.0 framework, expanding its scope to all organizations and added a new “Govern” function focused on risk management strategy, expectation, and policy.

As threats and regulations continue to evolve, organizations have a pressing need for proactive approaches to maintain compliance. However, keeping up with new developments — and implementing them — can be a significant challenge.

A Coalfire Compliance Report 2023 found out that 21% of organizations plan to do nothing until a required audit. This delay can often lead to non-compliance, resulting in huge penalties, restrictions in operations, loss of licenses or permits, and reputational damage. In this rapidly evolving yet disruptive era of security threats, compliance professionals have to continuously keep track of shifts in global, federal, state, and local regulations.

Deciphering the Regulatory Tiers

The scope of InfoSec in the U.S. is multi-layered and complex, so before diving into the challenges, let's first understand the regulatory tiers and their implications for businesses.

Federal Regulations

Federal regulations set the foundational standards for InfoSec compliance across different industries. These regulations establish baseline requirements for data protection, privacy, and security.

Some key federal regulations include:

  • Gramm-Leach-Bliley Act (GLBA) for finance.
  • Health Insurance Portability and Accountability Act (HIPAA) for healthcare.
  • Payment Card Industry Data Security Standard PCI DSS for the payment card industry.
  • Federal Information Security Modernization Act FISMA for federal agencies and contractors.

State and Local Regulations

Each state may have its own data privacy and security regulations, adding an extra layer of complexity. These regulations often supplement federal requirements, imposing stricter obligations on how enterprises handle customer data.

In January 2023, Virginia passed the Virginia Consumer Data Protection Act (VCDPA) with more stringent privacy protections for businesses operating in the state.

Such state-level regulations may include breach notification laws, which require businesses to notify affected individuals and authorities in the event of a data breach. These laws vary by state in terms of notification timelines and scope.

Industry Specific Challenges

When it comes to information security, there is no “one size fits all.” Each industry has its specific vulnerabilities and challenges.

For example, companies in the energy sector must adhere to the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) to ensure the power grid is secure and functioning smoothly.

Similarly, the Federal Energy Regulatory Commission (FERC) keeps the energy systems shielded from cyber threats.

Understanding these federal, state, and industry-specific compliance requirements will save you from huge penalties, legal fees, and fines down the line. Following these regulations also means that your customers can trust you to manage their information safely and securely — which, ultimately, enhances business reputation.

Emerging Regulatory Challenges

The tech world is evolving at an explosive pace and so are the compliance and regulations that come with it. Five years back, we probably would not have needed compliance dedicated to the use of Generative AI (GenAI). Today, we have comprehensive acts in place to protect data and information from AI threats.

Evolving AI Threats

As AI’s footprint expands across different sectors, security specialists across the world are trying to figure out how to strengthen security with the help of AI. At the same time, they’re also discovering new risks, which are more complex and sophisticated than ever.

AI-powered malware

AI-powered malware can autonomously analyze system vulnerabilities, adapt its behavior, and exploit weaknesses to gain unauthorized access. It can also selectively encrypt files, evading detection and maximizing the impact of the attack.

Sophisticated phishing and social engineering

Generative AI has empowered threat actors by enabling them to generate realistic emails by incorporating real-time details that make the messages more believable and generate a sense of urgency.

During Black Hat USA 2021, Singapore’s Government Technology Agency shared findings from an intriguing experiment. The security team sent out a mix of human-crafted and AI-generated phishing emails to their employees. The results were eye-opening: more employees clicked the AI-generated emails by a significant margin.

Automated and adaptive attacks

With the use of AI, attackers are now capable of automating attack phases, such as reconnaissance, command and control, and exploitation. The main problem with automated attacks is that they are adaptive to real-time, making them almost impossible to detect or counter.

We’re at an age where security professionals must fight fire with fire. To stay ahead of the curve, leaders need to utilize zero-trust, provide security awareness training, and make AI analytics-driven decisions.

According to a McKinsey report, the use of AI and ML in compliance monitoring and reporting has increased by 40% in 2023. The same year, we also saw a rise in AI guidance and issued regulations, with the first-ever comprehensive law on the use of AI: the European AI Act. Additionally, the US  White House made an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence which promotes innovation while protecting privacy.

Data Privacy Takes Center Stage

As a business, data privacy is your new best friend in the world of InfoSec. In recent years, we’ve seen a surge in data privacy regulations in the U.S., with laws like California Consumer Privacy Act and New York SHIELD Act setting the pace. CCPA secured new privacy rights for consumers in California, ranging from the right to know what data is being collected to the right to delete the data if requested by consumers.

Similarly, the NY SHIELD Act expanded the definition of a data breach to include unauthorized access to private information. This further requires businesses to invest in monitoring and detection systems that can identify and address unauthorized access in addition to actual data theft.

These regulations were a game-changer, allowing consumers to have more control over their data and privacy. And it’s not the only two states to employ such laws — similar regulations are popping up across the country. Colorado, Connecticut, and Utah are following suit with new data privacy laws that are set to take effect in 2024-25.

This is great news for consumers, but what does it mean for businesses?

Businesses need to comply with lawful data processing and safeguarding customer information. From data collection and storage to sharing and disposal, businesses must prioritize data privacy and protection in their operations.

No items found.

Strategies for Navigating Regulatory and Compliance Challenge​​s

Building a Strong Security Foundation

A strong security program is vital for protecting sensitive data and maintaining compliance.

Some strategies to take note of:

  • Advanced encryption: Secure sensitive data by employing strong encryption protocols.
  • Access control: Implement role-based access control (RBAC) to limit unwanted access.
  • Employee training programs: Conduct regular training about social engineering, phishing emails, manual error, and insider threats.
  • Continuous monitoring: Utilize security information and event management (SIEM) systems for real-time threat detection and response.

Continuous Vigilance is Key

When it comes to InfoSec, you can’t afford to be caught off-guard. Staying vigilant about any changes, big or small, is crucial in maintaining the security posture of your organization.

However, there are a lot of changes. How can businesses even prepare?

To kick things off, start with a gap or readiness assessment on your current security posture. This assessment can help identify where you stand and what needs attention. This way, organizations can prepare a comprehensive plan and work on things in order of priorities.

Once you know your security posture is in good shape, build in these best practices to stay up to date:

  1. Utilize industry-specific websites like Thomson Reuter, and ISACA Journal for changes in regulations.
  2. Monitor government websites like the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) for authoritative guidance, best practices, and insights.
  3. Leverage threat intelligence feeds to monitor emerging cyber threats and vulnerabilities in real-time, integrating this information into your security operations.

Tailoring Compliance Strategies

Tailoring InfoSec strategies to fit the industry is an essential part of staying on the right side of compliance. This allows you to tackle risks head-on and boost defenses across sector-specific threats.

Some strategies to streamline compliance efforts:

  1. Conduct routine risk assessments to identify vulnerabilities specific to your industry.
  2. Align your security protocols with industry-specific frameworks such as NERC CIP, FERC, HIPAA, etc.
  3. Upskill your team to stay ahead of potential threats by offering specialized programs related to industry risks and vulnerabilities.
  4. Monitor vendor assessment for third-party vendors and set clear security expectations in contracts.

A recent study estimated that 60% of organizations will determine business and engagement with third-party vendors by using cybersecurity risk assessment as a key factor by 2025.

Partnering with Experts

Regardless of how strong your security posture is, cyber attacks are imminent. By strategically partnering with trusted experts, you can alleviate repetitive or low-risk work, like filling out a high volume of security questionnaires. You can reinvest this saved time on high-impact  projects to further your security program and develop overall compliance.

SecurityPal takes care of your never-ending security questionnaires and offers comprehensive third-party vendor risk assessments so you can build trust with your customers and vendors, without doing the heavy lifting. .

Staying Alert in 2024-25

As we approach 2025, one thing in InfoSec is absolutely certain: staying safe requires a proactive approach.

With various federal, state, and local regulations being introduced and rapidly adapted, security leaders must come up with a tailored and proactive approach to build resilience against emerging threats and ensure long-term compliance success.

No items found.
Dipshikha Giri
Content Lead