According to Thomson Reuters, in 2022, there were over 230 daily alerts for regulatory updates. This figure is unsurprising given the increasing regulatory focus on Operational Resilience, Artificial Intelligence (AI), Cyber Security, Data Privacy, and Environmental, Social, and Governance (ESG) criteria.
In 2023, significant cyber security and digital operational resilience policies took shape in the U.S. and the European Union, establishing a benchmark for other areas. This trend of regulatory development observed in 2023 is expected to persist and intensify in 2024.
What can we anticipate for 2024, and what preparations are necessary? Below are ten critical regulations and areas of emphasis on our radar.
- Regulatory Attention on AI
- SEC Cyber Security Regulations
- Cyber Security Maturity Model Certification (CMMC)
- NIST Cyber Security Framework (NIST CSF)
- Cyber Security Mandates for the Financial Industry
- Data Protection
- Focus on Operational Resilience
- The Gramm-Leach-Bliley Act
- Payment Card Industry Data Security Standard (PCI DSS) Compliance
- Equity and Environmental Sustainability
1. Regulatory Attention on AI
The recent increased regulatory analysis on artificial intelligence (AI) is understandable, given the rapid expansion of AI and generative AI (GenAI) use across multiple sectors. This focus is anticipated to persist into 2024 and onwards.
In January 2023, the National Institute of Standards and Technology (NIST) unveiled the NIST AI Risk Management Framework (AI RMF 1.0). Its goal is to enhance the integration of trustworthiness in the design, development, deployment, and assessment of AI products, services, and systems. Furthermore, a significant move by the White House involved issuing an Executive Order to ensure the safe and trustworthy creation and application of AI.
The European Union is actively working towards AI regulation as well. In December 2023, EU representatives agreed provisionally on extensive rules for the secure and reliable application of AI. A BBC report indicates that the EU Parliament is slated to vote on these AI Act proposals within the year, with the laws expected to be implemented by 2025. Other countries, including China, Canada, Brazil, South Korea, Singapore, the UK, and the UAE, are at different stages of implementing AI-specific regulations, poised for adoption shortly.
As AI technology advances and finds new applications within the Governance, Risk Management, and Compliance (GRC) sector, these regulations are also anticipated to advance and adapt with technological progress.
2. SEC Cyber Security Regulations
In today’s digital age, cyber threats pose one of the most significant risks to organizations, with the advent of AI technology further escalating the potential for cybercrimes through its availability for executing large-scale attacks. Regulatory bodies are diligently working to ensure that companies adopt adequate security measures to safeguard their assets and the interests of stakeholders.
In July 2023, the U.S. Securities and Exchange Commission (SEC) introduced the Cyber Security Risk Management, Strategy, Governance, and Incident Disclosure rules for public companies. These regulations mandate that:
Companies establish a comprehensive incident response mechanism, including immediate reporting to the SEC. Companies regularly disclose the cyber security expertise of their board members and senior management and the cyber security risk management practices they have adopted. For risk management, strategy, and governance disclosures, public companies must start including this information in their annual reports for fiscal years ending after December 15, 2023.
3. Cyber Security Maturity Model Certification (CMMC)
The Cyber Security Maturity Model Certification (CMMC), created by the U.S. Department of Defense, represents another significant cyber security standard and certification framework. It aims to ensure the secure handling of sensitive, yet unclassified information shared between the Department and its contractors and subcontractors.
This year, anticipation grows for the final rule of CMMC. In 2023, the proposed revision, CMMC 2.0, was forwarded to the Office of Information and Regulatory Affairs (OIRA) at the White House for evaluation. This updated version offers a robust scheme to safeguard the defense industrial base’s (DIB) critical unclassified data against sophisticated cyber threats. Expected modifications in the final rule are set to streamline the compliance process, lower the costs associated with assessments, and boost accountability, among other improvements.
4. NIST Cyber Security Framework (NIST CSF)
Beyond regulatory mandates, standard-setting entities also provide guidelines and frameworks to aid organizations in effectively managing cyber security threats. The NIST Cyber Security Framework stands out as a tool that organizations highly adopt. Initially released in 2014, this framework offers “a framework that can be utilized by organizations, regulatory authorities, and customers to establish, guide, evaluate, or enhance comprehensive cyber security strategies.”
The National Institute of Standards and Technology (NIST) unveiled a revised version of the framework for public feedback in the second half of 2023. This updated draft, or Framework 2.0, is designed to “mirror the evolving cyber security environment and streamline the application of the CSF across various organizations.” The NIST has announced that the definitive edition of CSF 2.0 is slated for release in early 2024.
5. Cyber Security Mandates for the Financial Industry
The financial industry, a prime target for cyber threats due to its significant data and monetary assets, is under increased regulatory scrutiny.
The New York Department of Financial Services (NYDFS) has updated its pioneering Cyber Security Regulation as of November 2023, initially established in 2017. This regulation mandates that entities under its jurisdiction, such as banks, insurance firms, and various financial services providers, implement robust cyber risk management and governance practices. This includes establishing a comprehensive cyber security program to safeguard consumer data, drafting detailed policies, appointing a Chief Information Security Officer (CISO) for data and system security, and enforcing strong controls.
The revised regulations introduce stricter governance protocols, more frequent risk evaluations, enhanced safeguards against unauthorized system access, improved incident reporting procedures, and more. These changes underscore the importance for organizations to closely monitor the evolving NYDFS Cyber Security Regulation, which is likely to influence similar standards across other regions.
Entities governed by these regulations must ensure compliance by April 29, 2024.
6. Data Protection
The safeguarding of Personally Identifiable Information (PII) remains a critical concern for regulatory bodies around the globe.
In the United States, the implementation of the new California Consumer Privacy Act (CCPA) regulations has been postponed to March 29, 2024. The California Privacy Rights Act (CPRA), approved by California voters in 2020, has revised the CCPA, introducing enhanced privacy measures. It sets new benchmarks for collecting, storing, and utilising consumer data and introduces “additional responsibilities for handling personal information, including enabling consumers to opt out of their data being shared.”
The CPRA also led to the formation of the California Privacy Protection Agency (CPPA), tasked with the law’s implementation and enforcement starting July 1, 2022. However, enforcement was scheduled to begin on July 1, 2023. Nevertheless, the agency only finalized its initial regulations under the CPRA by March 29, 2023.
Following this delay, a California court extended the deadline for enforcing these new rules by a year. However, legislative amendments under the CCPA were activated on January 1, 2023, and are currently effective.
In November 2023, the CPPA proposed a novel regulatory scheme for “automated decision-making technology” (ADMT), establishing necessary safeguards for how businesses employ these technologies. Additionally, the agency has released updated draft regulations concerning risk assessments and cyber security audits.
7. Focus on Operational Resilience
The attention and measures regarding operational resilience in the financial industry continue to escalate. In the United Kingdom, the Bank of England, the Financial Conduct Authority, and the Prudential Regulation Authority have collaboratively issued a consultation document titled “Operational resilience: Critical third parties to the UK financial sector (PRA CP26/23 and FCA CP23/30)” in the previous month. The final date for submitting feedback is set for March 15, 2024. Furthermore, these regulatory bodies plan to propose a joint policy statement on applying their enforcement powers on essential third-party service providers.
In the EU, the Digital Operational Resilience Act (DORA) is designed to bolster the management of information and communications technology (ICT) and digital risks, especially regarding third-party involvements, thereby enhancing digital operational resilience within the region’s financial sector. It mandates a comprehensive set of requirements covering areas such as a risk management framework, handling and reporting incidents, and implementing a digital operational resilience testing program, among other aspects. Passed by the European Parliament in November 2022, the act sets a compliance deadline of January 17, 2025, for regulated bodies. This initiates a critical one-year period for financial sector entities to align with DORA’s stipulations.
As operational resilience becomes increasingly crucial across various sectors, DORA is a pivotal regulation, signalling a potential trend for similar initiatives to be adopted by other sectoral and federal regulatory bodies. In September 2023, the UK’s Department for Science, Innovation and Technology issued a legal document to modify the term ‘fundamental rights and freedoms’ in the data protection laws. This revision aims to align the language with rights acknowledged by UK legislation, moving away from the rights preserved under EU law. Should the UK Parliament endorse this change, it is anticipated to be enacted at the beginning of 2024.
8. The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) is a crucial regulation aimed at safeguarding consumer financial privacy by mandating that financial institutions disclose their practices regarding information sharing with their customers and protect sensitive information.
In a significant update in October 2023, two decades following the initial implementation of the GLBA Safeguards Rule, the Federal Trade Commission (FTC) revised this rule. The revision stipulates that non-bank financial companies must inform the FTC about data breaches impacting at least 500 consumers. These notifications must be made to the agency as swiftly as possible, 30 days after the breach is discovered.
This updated regulation is scheduled to be enforced 180 days following its announcement in the Federal Register, with expectations pointing towards a 2024 enactment.
9. Payment Card Industry Data Security Standard (PCI DSS) Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a crucial benchmark for safeguarding cardholder information. This internationally acknowledged framework is essential for entities that handle, process, or transmit cardholder information, offering detailed technical and procedural guidelines to ensure data protection.
The newest iteration, PCI DSS version 4.0, is set to be enforced starting March 31, 2024. This version, released by the PCI Security Standards Council in March 2022, provides a two-year window for organizations to adapt to and incorporate the revisions.
As stated in the official announcement, the update to version 4.0 from 3.2.1 is designed to counteract evolving security threats and leverage new technologies for enhanced threat mitigation.
Discover the journey with Corporater to achieve and maintain PCI DSS compliance.
10. Equity and Environmental Sustainability
The commitment to diversity, equity, inclusion (DEI), and environmental sustainability is becoming increasingly critical for businesses and regulatory bodies worldwide. Notably, 22 states adjusted their minimum wage rates in the United States at the start of 2024. Moreover, anticipated in April is the Department of Labor’s (DOL) finalisation of amendments to regulations concerning exemptions from the Fair Labor Standards Act’s (FLSA) overtime and minimum wage mandates for certain salaried employees.
Additionally, a new DOL rule came into effect at the beginning of 2024, mandating businesses with 100 or more workers in specific high-risk sectors to electronically report incidents of injury and illness to the Occupational Safety and Health Administration (OSHA).
In Europe, the European Parliament endorsed the Corporate Sustainability Reporting Directive (CSRD) in November 2022. This directive mandates member states to adopt enhanced sustainability reporting standards within 18 months, aiming to improve transparency and decision-making regarding sustainability for investors and stakeholders. This directive emphasizes the need for large corporations and publicly traded small and medium-sized enterprises (SMEs) to disclose information on various sustainability aspects, including environmental, social, human rights, and governance issues, as noted by the European Council.
The directive’s enforcement will be phased in from 2024 to 2028, starting with entities already under the non-financial reporting directive (NFRD) reporting in 2025 for the 2024 fiscal year.
Here are a few important rules businesses should keep an eye on this year. Companies need a simple, smart, and tech-based way to handle compliance to keep up with the quick changes in rules and regulations. This method helps them stay updated with new regulations, cut down costs, and have a clearer view of their compliance situation. IMC Compliance Management makes it easier for companies to start and stick to their compliance plans, making sure they follow the necessary rules and standards.
Thus, IMC, an implementation partner of Corporater, helps assist in GRC solutions. Corporater is a global software company that enables medium and large organizations worldwide to manage their business with integrated solutions for GRC built on a single platform. Find out how IMC can make your compliance efforts better – book a demo tailored just for you today!
