Cybersecurity laws and legislation (2023)
As the landscape of cyber threats and regulations continues to evolve, staying up to date with the latest cybersecurity legislation is essential for all managed service providers(MSPs) and security professionals. With an increased focus on digital security, many countries and regions have enacted and updated cybersecurity regulations to protect citizens and businesses from a dynamic threat landscape.
What are the cybersecurity laws and regulations every MSP should know in 2023? This article will discuss how cybersecurity is regulated, the cybersecurity laws every MSP should know, and the legislation to watch in 2023 and beyond.
How is cybersecurity regulated?
Regulating bodies enact cybersecurity guidelines to protect individuals, businesses, and other organizations from cyber threats. These organizations include security industry associations that come up with standards for IT professionals and governmental agencies tasked with setting and enforcing security laws and regulations.
For example, the National Institute of Standards and Technology (NIST) is a non-regulatory agency within the U.S. Department of Commerce that establishes cybersecurity guidelines to help secure government systems and other organizations. NIST also publishes the Risk Management Framework (RMF), which provides guidance on developing, managing, and maintaining secure systems.
Cybersecurity legislation can vary by country, state, or even local community. The European Union has implemented a Cybersecurity Act to protect digital services within its member countries while many individual states in the U.S. enacted state-level cybersecurity laws as well.
In some cases, regulations may also be specific to certain types of businesses or industries. In the payment processing industry, the Payment Card Industry Data Security Standard (PCI DSS) requires organizations that handle credit cards to meet specific security requirements like encryption, user authentication, and regularly updating software.
How do cybersecurity laws impact MSPs?
As a managed service provider, it’s essential to understand the regulations and standards that apply to your operations and clients. Depending on the type of service, MSPs may need to comply with a specific set of rules or standards. For example, for cloud hosting service providers, you may need to comply with the Cloud Security Alliance’s (CSA) Cloud Controls Matrix or the Federal Risk and Authorization Management Program (FedRAMP) if hosting federal data in the U.S..
Cybersecurity regulations can help MSPs assess and address potential threats, reduce the number of attacks, protect customer data, and ensure compliance with industry standards. As rules become more stringent and penalties for non-compliance rise, maintaining compliance with applicable laws and regulations is the first step to building a robust cybersecurity infrastructure.
The first thing to address is establishing the jurisdiction under which your MSP operates. Be sure to know the laws and regulations of all relevant jurisdictions to determine which standards and compliance requirements your organization needs to meet. This can become a complex task for multi-national operators, so it’s essential to ensure you have the right processes and procedures in place.
After establishing which laws and regulations apply, managed service providers must develop a compliance plan. This includes defining policies and procedures, creating a security strategy for the organization, implementing effective security controls, and ensuring that all staff members are trained in the relevant regulations.
Finally, MSPs should conduct regular audits to verify that security systems and procedures meet the required standards. This audit should include penetration testing, vulnerability scanning, and regular reviews of logs to identify any potential threats or malicious activity.
Compliance with cybersecurity laws and regulations typically requires a dedicated Security Operations Center (SOC). This team of security professionals is responsible for monitoring, reviewing, and responding to potential threats. By understanding the relevant laws and regulations, developing a plan for compliance, and implementing an effective SOC (Security Operations Center), managed service providers can ensure they remain compliant with all applicable cybersecurity legislation while protecting their clients’ digital assets.
To learn how you can grow your revenue and keep your clients protected, download our eBook How MSPs can Make Money from SIEM, SOC and EDR today.
What are the cybersecurity laws every MSP should know?
Determining the cybersecurity regulations that apply to your business depends on the industry you operate in, the geographical location of your organization, the location of your clientele, and other factors. Here are some of the most important cybersecurity laws broken down by region that every MSP should know:
The United States
Operating in the United States requires compliance with several laws dependent upon the state, industry, and data storage type.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patient health information. If you provide cloud hosting services to a healthcare provider, you must ensure your systems adhere to HIPAA regulations.
The Gramm-Leach-Bliley Act (GLBA) regulates the collection and handling of financial information. Any organization that collects or stores financial data must comply with this law.
The Payment Card Industry Data Security Standard (PCI DSS) sets rules for safeguarding consumer credit card data. Any MSP that processes payment card data must be compliant with this regulation.
The Executive Order on Improving the Nation’s Cybersecurity, signed in 2021, was created in the wake of several high-profile security incidents in the U.S. The goal was to modernize cybersecurity via the implementation of protected networks for federal institutions better response for cyber incidents and impoving collaboration between the public and private sectors.
The NIST Cybersecurity Framework is a set of guidelines issued by the U.S. National Institute of Standards and Technology that regulates how governmental agencies approach cybersecurity. Though geared towards governmental bodies, this framework is updated regularly and provides public and private organizations alike with a comprehensive set of best practices for protecting systems from cyber-attacks.
The European Union
The European Union has enacted several data privacy laws to protect the personal information of its citizens. The General Data Protection Regulation (GDPR) is one of the most important regulations to be aware of, as it sets out the requirements for collecting, storing, and processing personal data.
MSPs who operate in the EU must ensure their systems adhere to GDPR standards and be prepared to face hefty fines if found in violation.
Some of the key features of the GDPR involve the following:
- Providing clear and transparent information on how data is being collected, stored, and used
- Establishing protocols for responding to data breaches
- Ensuring data is only kept for as long as necessary
The United Kingdom
The Data Protection Act (DPA) is a law in the UK that regulates the handling of personal data. Passed in 2018, it replaces the previous Data Protection Act (1984), which laid out data processing requirements for organizations, including MSPs.
The DPA requires organizations to inform customers about their data handling practices and provide a way for customers to access and delete their data. It also sets out requirements for handling data breaches, preventing unauthorized access, and ensuring secure data disposal.
Cyber Essentials is similar to NIST in the US, in that it is a government-backed set of cybersecurity standards that organizations are encouraged to follow. In fact, in order to bid on government contracts, organizations are required to be certified for Cyber Essentials.
Though ASEAN countries have yet to pass an overarching regulatory framework, the Association of South East Asian Nations announced a Cybersecurity Cooperation Strategy that adopts many vital tenets of the GDPR and DPA. This includes protecting personal data, ensuring secure data storage and disposal protocols, and informing customers of their rights related to cybersecurity.
With a comprehensive framework in place, managed service providers can ensure that their cybersecurity practices comply with the laws of each country in the region.
In Australia, there is already a general standard for cybersecurity professionals to follow: the ACSC Essential 8. Similar to Cyber Essentials and the NIST framework, these are a set of mitigation strategies and controls that help protect Australian businesses from cyber threats. This primarily focuses on protecting Microsoft Windows-based internet connection networks, but can be applied to other platforms as well.
Cybersecurity legislation to watch in 2023
Governments worldwide continue to pass more stringent cybersecurity laws and regulations as technology evolves. Here are some of the important laws and legislation that MSPs should watch out for in 2023:
The California Consumer Privacy Act (CCPA) is a state law due to be enacted on July 1, 2023. This law protects the personal information of California residents, requiring companies to provide customers with access to and control over their data. Similar to the GDPR, this legislation applies not only to California-based operations but to any entities seeking to engage with California residents and organizations.
The United Kingdom is expected to pass a new Data Protection Bill by the end of 2023, imposing stricter requirements on businesses, including MSPs. The bill will introduce new regulations around data security and breach notifications. The UK is also planning to strengthen its existing Network and Information Systems (NIS) Regulations during 2023. These regulations were originally implemented in 2018 to strengthen cybersecurity of organizations providing critical services.
In November of 2022, the European Union enacted the Network and Information Security 2 Directive (NISD2), which replaced the original NIS Directive. The NIS2 Directive introduces new reporting requirements for data breaches and increases fines for non-compliance.
Maintaining compliance with the ever-evolving regulatory landscape is integral to running a successful managed service provider business. MSPs must stay abreast of the latest laws and regulations to ensure that their practices remain best practices. Though rules and regulations constantly change, resources like ConnectWise's Cybersecurity Center are here to help MSPs stay informed on the latest global developments.