Cyber regulations continue to multiply, with cyber regulations enacted or modified in in the UK, EU, South Africa and the US to name a few over the past 18-24 months. Cybersecurity policy is one of the few genuine areas of cross-party political agreement in many countries globally, so it is getting significantly more political attention that it ever has before over the last few years. As is common with regulation more broadly – cyber and risk practitioners use the highly sophisticated GRC platform Microsoft Excel and manual legal and regulatory research to keep on top of it all.
Cyber regulations, however, all have different requirements in these jurisdictions, creating “purgatory” for the average cybersecurity professional. For example, in the area of incident response and notification, an organization that is subject to the EU’s NIS2 and GDPR, have two different incident classifications to track and monitor (essential services notifications and personal data), both with different definitions, impact scenarios, penalty regimes for non-compliance, different regulatory reporting points depending on which EU member state you are in just to name a few points of difference.
Scaling that up to a global enterprise, cyber and risk professionals need to make choices about how they comply with cyber regulations which conflict with each other. Manual approaches to tracking, assessing impact of new regulation and gathering evidence to provide assurance over compliance is now an impossible ask for our Excel spreadsheet.
For cyber professionals wondering what sins they committed in a prior life to deserve this fate, some promising approaches from the world of RegTech are at hand. Recent acquisitions and capability building by GRC platform providers is changing the picture. Cyber professionals rolling their eyes at yet another obligatory mention of AI, need to give this use case a closer look.
Clients working with some of these providers have demonstrated with their enterprise risk management programs that it is possible to use generative AI to transform how you track and monitor compliance. These solutions are being used to scan the legislative landscape to identify applicable legislation, track its development and regulatory sentiment, and assess and produce gap analysis of your firm’s compliance posture. This approach influenced by how financial firms use regulatory intelligence solutions and risk intelligence solutions can help the cybersecurity industry better understand how we manage an increasingly complex regulatory landscape.
To find out more about how you escape regulatory purgatory and build this emerging capability into your GRC program, check out my session at our upcoming Security & Risk Summit in Austin, Texas November 5-7 entitled “Navigate The Conflicting Regulatory Landscape.” In the session, which is part of the broader Risk And Compliance track, we’ll discuss how using regulatory technology solutions to complement existing GRC technologies can help you navigate regulatory complexity. We’ll also look at how to develop risk intelligence capabilities to assess regulatory changes and determine their impact. To learn more about this session and the other sessions in the track, check out the full agenda here. I look forward to seeing you in Austin to discuss this topic more in person.
