Regulatory and Compliance Challenges in InfoSec: A U.S. Forecast for 2024-25

Compliance violations reached unprecedented levels in 2023, racking up over $10 billion in penalties worldwide. This staggering amount of financial loss serves as a wake-up call for businesses to prioritize compliance and rethink their security strategy to avoid financial fallout and reputational risks.

As we approach 2025, security and compliance professionals need to stay alert to combat emerging regulatory threats. Let’s explore some of the key challenges in the U.S. and how you can mitigate them.

The Evolving Regulatory Maze

The U.S. Information Security (InfoSec) regulations keep changing in response to emerging threats and technological advancements. Recently, NIST released the CSF 2.0 framework, expanding its scope to all organizations and added a new “Govern” function focused on risk management strategy, expectation, and policy.

As threats and regulations continue to evolve, organizations have a pressing need for proactive approaches to maintain compliance. However, keeping up with new developments — and implementing them — can be a significant challenge.

A Coalfire Compliance Report 2023 found out that 21% of organizations plan to do nothing until a required audit. This delay can often lead to non-compliance, resulting in huge penalties, restrictions in operations, loss of licenses or permits, and reputational damage. In this rapidly evolving yet disruptive era of security threats, compliance professionals have to continuously keep track of shifts in global, federal, state, and local regulations.

Deciphering the Regulatory Tiers

The scope of InfoSec in the U.S. is multi-layered and complex, so before diving into the challenges, let's first understand the regulatory tiers and their implications for businesses.

Federal Regulations

Federal regulations set the foundational standards for InfoSec compliance across different industries. These regulations establish baseline requirements for data protection, privacy, and security.

Some key federal regulations include:

• Gramm-Leach-Bliley Act (GLBA) for finance.
• Health Insurance Portability and Accountability Act (HIPAA) for healthcare.
• Payment Card Industry Data Security Standard PCI DSS for the payment card industry.
• Federal Information Security Modernization Act FISMA for federal agencies and contractors.

State and Local Regulations

Each state may have its own data privacy and security regulations, adding an extra layer of complexity. These regulations often supplement federal requirements, imposing stricter obligations on how enterprises handle customer data.

In January 2023, Virginia passed the Virginia Consumer Data Protection Act (VCDPA) with more stringent privacy protections for businesses operating in the state.

Such state-level regulations may include breach notification laws, which require businesses to notify affected individuals and authorities in the event of a data breach. These laws vary by state in terms of notification timelines and scope.

Industry Specific Challenges

When it comes to information security, there is no “one size fits all.” Each industry has its specific vulnerabilities and challenges.

For example, companies in the energy sector must adhere to the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) to ensure the power grid is secure and functioning smoothly.

Similarly, the Federal Energy Regulatory Commission (FERC) keeps the energy systems shielded from cyber threats.

Understanding these federal, state, and industry-specific compliance requirements will save you from huge penalties, legal fees, and fines down the line. Following these regulations also means that your customers can trust you to manage their information safely and securely — which, ultimately, enhances business reputation.

Emerging Regulatory Challenges

The tech world is evolving at an explosive pace and so are the compliance and regulations that come with it. Five years back, we probably would not have needed compliance dedicated to the use of Generative AI (GenAI). Today, we have comprehensive acts in place to protect data and information from AI threats.

Evolving AI Threats

As AI’s footprint expands across different sectors, security specialists across the world are trying to figure out how to strengthen security with the help of AI. At the same time, they’re also discovering new risks, which are more complex and sophisticated than ever.

AI-powered malware

AI-powered malware can autonomously analyze system vulnerabilities, adapt its behavior, and exploit weaknesses to gain unauthorized access. It can also selectively encrypt files, evading detection and maximizing the impact of the attack.

Sophisticated phishing and social engineering

Generative AI has empowered threat actors by enabling them to generate realistic emails by incorporating real-time details that make the messages more believable and generate a sense of urgency.

During Black Hat USA 2021, Singapore’s Government Technology Agency shared findings from an intriguing experiment. The security team sent out a mix of human-crafted and AI-generated phishing emails to their employees. The results were eye-opening: more employees clicked the AI-generated emails by a significant margin.

Automated and adaptive attacks

With the use of AI, attackers are now capable of automating attack phases, such as reconnaissance, command and control, and exploitation. The main problem with automated attacks is that they are adaptive to real-time, making them almost impossible to detect or counter.

We’re at an age where security professionals must fight fire with fire. To stay ahead of the curve, leaders need to utilize zero-trust, provide security awareness training, and make AI analytics-driven decisions.

According to a McKinsey report, the use of AI and ML in compliance monitoring and reporting has increased by 40% in 2023. The same year, we also saw a rise in AI guidance and issued regulations, with the first-ever comprehensive law on the use of AI: the European AI Act. Additionally, the US  White House made an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence which promotes innovation while protecting privacy.

Data Privacy Takes Center Stage

As a business, data privacy is your new best friend in the world of InfoSec. In recent years, we’ve seen a surge in data privacy regulations in the U.S., with laws like California Consumer Privacy Act and New York SHIELD Act setting the pace. CCPA secured new privacy rights for consumers in California, ranging from the right to know what data is being collected to the right to delete the data if requested by consumers.

Similarly, the NY SHIELD Act expanded the definition of a data breach to include unauthorized access to private information. This further requires businesses to invest in monitoring and detection systems that can identify and address unauthorized access in addition to actual data theft.

These regulations were a game-changer, allowing consumers to have more control over their data and privacy. And it’s not the only two states to employ such laws — similar regulations are popping up across the country. Colorado, Connecticut, and Utah are following suit with new data privacy laws that are set to take effect in 2024-25.

This is great news for consumers, but what does it mean for businesses?

Businesses need to comply with lawful data processing and safeguarding customer information. From data collection and storage to sharing and disposal, businesses must prioritize data privacy and protection in their operations.