While online security is normally the responsibility of the IT department, as marketing and IT department become ever closer, marketers need a working knowledge of security regulations. The below article provides a roundup of the current environment.
Organisations have always had to comply with various regulations, whether associated with finance, employment, sustainability, security, or general business matters. But in 2024, the regulatory landscape is arguably more complex than ever. With the threat of cyber attacks growing every day and new technological developments changing how businesses work and operate, more regulations are being enforced every year to tackle these modern challenges.
As Richard Starnes, CISO at Six Degrees, explains, “one of the greatest compliance challenges organisations have to contend with is the sheer number of regulations. The amount of legislation and internal/external audits even a company solely trading in the UK must adhere to is growing untenable. Then, multiply this tenfold if that company also wishes to operate overseas.”
“It can be challenging for businesses to know where to start in becoming and remaining compliant, especially when required to meet the regulations of multiple regions, as each country’s regulations vary slightly from each other,” agrees Jason Keirstead, VP of Collective Defense at Cyware.“This challenge is only compounded by the rapidly evolving threat landscape as organisations need to update their processes with each change in order to remain compliant.”
Staying secure
The evolving threat landscape has led to two prominent new regulations that have forced businesses into action in 2024. In December 2022, the UK Government passed the Product Security and Telecommunications Infrastructure (PSTI) Act into law, with organisations having to be compliant by the end of April 2024. The legislation aims to enhance the security of consumer internet-connected devices, which Nick Palmer, Solutions Engineer at Censys, considers “a good start.”
He continues: “It’s vital that we create a culture of increasing accountability around cybersecurity standards in manufacturing, and introducing legislation will be a key part of that. It will, at the very least, force manufacturers to start thinking more about security, and take some responsibility for it. There are so many internet facing devices now – from smart washing machines to children’s toys – and many customers have been ill-informed – or aren’t even aware of – the security risks they can pose. The UK’s PSTI Act will shift that responsibility onto the manufacturers.”
With the PSTI Act now in full force, many organisations are now turning their attention to the EU’s Digital Operational Resilience Act (DORA). Although its premise is to improve cybersecurity and resilience in the financial sector, the act also applies to ICT third-party service providers too.
“DORA’s reach across the financial sector is all-encompassing,” explains Darren Thomson, Field CTO EMEAI at Commvault. “Significantly, its power extends beyond financial services firms to include their critical third-party service providers, whether for cloud services, data analytics, or any ICT service crucial to infrastructure and operations. This is an important step in the right direction and the focus on resilience is refreshing. It recognises that, in today’s ever-changing threat landscape, organisations can no longer afford to simply meet the basic security requirements. They need true cyber resilience to be able to withstand whatever is thrown its way.”
Financial compliance
It is not just the compliance challenges of DORA that the financial sector is having to address. As the world has become increasingly globalised over the last couple of decades, the finance sector is starting to see global regulations introduced, aimed to tackle the issue of tax avoidance by limiting tax competition.
“A foundational part of the Organisation for Economic Co-operation and Development (OECD) Base Erosion and Profit Shifting (BEPS) project, Pillar Two requires multi-national corporations with consolidated annual earnings over 750 million Euros to pay a global minimum of 15% tax, regardless of where they operate,” explains Russell Gammon, Chief Solutions Officer at Tax Systems. “It aims to harmonise corporation tax globally and provide a more level playing field.”
From a global scale to the niche area of payment technology, another regulation that some financial institutions are having to take action on is the Third Payment Services Directive (PSD3). Hugh Scantlebury, CEO and Founder of Aqilla, explains its roots: “Over the last few years, open banking has emerged as a game-changer for payment technology. By opening up transactional data, it has revolutionised how UK consumers and businesses access banking and financial services, enabling far more scope for automated payments. But at the same time, there have been growing concerns around the dominance of U.S. companies, like Mastercard and VISA.”
That is where PSD3 comes in. Scantlebury continues: “The latest regulation aims to foster competition amongst payment service providers by granting competitor access through mandatory APIs. By requiring payment service providers to provide APIs, they will be able to communicate with numerous banks and financial organisations, rather than relying on a handful of providers. This is certainly a positive step for the digital payments industry. It opens up the market for technological innovation by a range of different providers, as well as taking further steps to protect consumers’ rights and personal information.”
The advent of AI
But the main discussion about regulations that has been dominating headlines recently is, of course, around AI. Since generative AI came onto the scene at the end of 2022 and showed its potential to transform how businesses operate, governmental bodies have been scrambling to regulate the new technology.
Iju Raj, Executive Vice President R&D at AVEVA, recognises these efforts in the UK: “The government’s recent efforts in establishing a pro-innovation framework for AI are welcome, as it balances assessment and monitors the risks posed by AI with unlocking the transformative benefits of this technology.
“For the field of AI to develop in the UK, we need a focus on both innovation and safety. Just as important is the availability of skills and investment capital, plus a thriving culture of robust exchange of ideas and challenge between government, industry, academia and civil society.”
But Mark Skelton, Chief Technology and Strategy Officer at Node4, worries about whether we are moving fast enough. “With the current rate of progress, we are at high risk of AI overtaking us before we can control the use of it,” he says. “Governments across the world should be collaborating to get a handle on the situation. Crucially, they need to agree on guardrails for AI use and enforce them to the same degree. Otherwise, we run the risk of having ‘AI havens’, like tax havens, where entrepreneurs will move or start up their businesses so that they can develop and use AI in ways that are restricted in other countries. This stifles innovation and growth within the mandated countries, whilst going against the objectives of the regulation.”
Taking action
With all of these regulations circling around, how should business leaders go about getting a handle on them and ensure they are compliant? As we have seen with GDPR previously, fines and brand reputation are two big consequences of non-compliance, and regulatory bodies are unlikely to take a lenient approach to the upcoming regulations.
Paolo Platter, CTO at Agile Lab & Product Manager on Witboost, provides his recommendations for avoiding unwanted consequences and ensuring compliance:“Organisations need to implement a reliable method of imposing enterprise-wide governance rules that, much like guardrails, remain in place throughout the lifecycle of data – wherever it resides.
“Computational governance is an approach that imposes a consistent governance framework throughout a company. It enforces internal standards and security controls but, at the same time, empowers data users by expediting data discovery and project development. Bypassing the system isn’t an option. All data produced and stored automatically meets regulatory requirements – it simply can’t be created if it doesn’t. Companies with a computational governance framework in place therefore set themselves up to be fully compliant and thereby avoid expensive fines and negative consequences.”
“It is crucial that technology companies continue to bake-in the support for regulation,” adds Matt Hillary, CISO at Drata. “We all need to embed privacy in the design aspects of our development lifecycle while we continue the rapid advancements in technology, particularly in the realm of data collection and processing.”
He advocates for Privacy by Design: “Privacy by Design is incorporating privacy protections into the product and software engineering lifecycle to help ensure the cradle-to-grave handling of customer data is explicitly identified, communicated, intentional, and handled appropriately.”
In conclusion, Terry Storrar, Managing Director at Leaseweb UK, acknowledges that, “the business climate is becoming increasingly more competitive, so to stay one step ahead companies need to continue going above and beyond. Modern businesses that put their customers first need to go beyond a tick-box culture of compliance and instead drive the industry where it needs to go by setting themselves the highest standards.”
