For most of my career, I worked for major international financial services companies in the security and risk functions. These organizations were multinational global institutions that operated in a plethora of countries. One of the challenges that was common in these organizations was ensuring we complied with each jurisdiction's information and cybersecurity regulations. In practice, that work involved managing relationships with, in some cases, more than 250 regulatory authorities, each of which came with its own expectations of standards for cybersecurity best practice.
In the intervening years, cybersecurity has become exponentially more important to businesses and consumers alike, and data privacy and security regulations have proliferated as a result — as have the standards frameworks to help businesses achieve compliance.
Your average global financial services company today must contend with general data privacy regulations, including GDPR (EU), CCPA (US), and PIPL (China), among many, many more (some 194 countries have put in place legislation to ensure the protection of data and privacy).
In addition, firms must also comply with various sector-specific requirements, such as FFIEC assessment (US), MAS's TRM requirements (Singapore), CPS 234 mandates (Australia), and others. So, too, financial services are often deemed part of nations' "critical infrastructure," with their own regulations to comply with, including the SOCI Act (Australia) and the NIS Directive (UK).
The Complicated State of Security Policy Regulations
Complying with privacy and cybersecurity laws and standards is a major undertaking, especially as significant new rules, regulations, and best practices continue to emerge. Given that businesses will often turn to their security and risk partners to help them implement standards and ensure compliance, this is a burden not only for the regulated, but also for those organizations that support them.
Of course, few would argue that regulation is a bad thing. It pulls up the lowest common denominator and drives organizations to act. But the staggering complexity of the global regulatory environment makes compliance a costly and hugely time-consuming affair (it's thought that companies spend up to 40% of their cybersecurity budget submitting regulatory compliance reports).
As for standards, the proliferation of frameworks such as NIST CSF, ISO 27001 and ISO 27002, and NERC CIP can leave organizations wondering just which one to standardize on and, when they do, how they can then demonstrate compliance with other standards. An entire cottage industry has been built around helping businesses map security controls across the different frameworks available to them.
Companies that need to meet security requirements across diverse jurisdictions often find that no matter how many resources they throw at the challenge, they cannot eliminate the risk of regulatory action for an unintended compliance misstep. Not only that, but when security professionals spend a huge amount of time sorting through the nuances of various regulatory bodies' cyber rules, it's time lost that they could otherwise focus on combating the actual risks their company faces. They may miss threats looming in the forest because they're concentrating on the regulatory trees. After all, being compliant and being secure are two very different things.
A Way Forward for Policy Harmonization
The time has come for a much greater degree of global regulatory harmonization. In theory, the gold standard for harmonization would involve making the regulatory requirements or governmental policies of different jurisdictions identical. However, given the enormous complexity of the issue, the capability and maturity gaps between jurisdictions, and the requirement for widespread cooperation between nation states, it's unlikely that this level of harmonization is feasible. But that's not to say progress can't be made. Here are just a few potential paths harmonization could take:
- A principles-based approach. As a first step, governments and regulators could come together on a set of agreed-upon overarching principles to inform regulation, such as the sanctity and integrity of personal data and citizens' rights to data consent and transparency.
- Regulatory equivalence. In lieu of common laws, different jurisdictions could agree to accept proven compliance with one set of laws as being tantamount to compliance with another.
- Borrow gold standard rules. Legislators should only introduce new laws and obligations having first assessed whether there are existing laws from another jurisdiction that can be imported.
Regulatory harmonization on a large scale can and does work. A good example of this is in the European Union, where common regulatory standards across the bloc are normal. Indeed, EU law is often designed specifically to bring order and simplicity to a legacy mismatch of various national laws. We are seeing this again with the Digital Operational Resilience Act (DORA).
Standards harmonization is a prize worth fighting for. By simplifying the complexity of managing compliance, we can enable security and risk teams to focus on managing the operational risk, not the compliance risk. Doing so, they will be able to better counter threats and maintain operations. It's a big, complex job, and all stakeholders, including government collaborative bodies (e.g., G20, etc.), international bodies (e.g., the UN, the World Economic Forum), and industry leaders, like corporate CEOs and security and risk executives and practitioners, need to agitate for greater traction on this, and work together to collaboratively make progress.