Blog 178# The Bitter Truth: How Changing Laws and Regulatory Definitions Are Reshaping Cybersecurity and GRC

Overview

The cybersecurity and Governance, Risk, and Compliance (GRC) landscape is rapidly evolving, influenced by global regulations, industry leaders, and unique circumstances. This article explores key laws, advisory changes, and their implications for organizations worldwide, with a focus on India and global markets in 2024 - 2025.

Key Global Updates

Cyber Resilience Act (CRA) – European Union

SEC Cybersecurity Regulations – United States

Global Developments:

1. Cyber Resilience Act (CRA) – European Union: Adopted on October 10, 2024, the CRA establishes common cybersecurity standards for products with digital elements within the EU. It mandates manufacturers to conduct cyber risk assessments, provide automatic security updates, and report incidents to the European Union Agency for Cybersecurity (ENISA) within 24 hours. Non-compliance can result in fines up to €15 million or 2.5% of global annual turnover.
2. SEC Cybersecurity Regulations – United States: In December 2023, the U.S. Securities and Exchange Commission (SEC) implemented regulations requiring companies to promptly disclose material cybersecurity incidents and detail their governance practices. These rules aim to enhance transparency and accountability in cybersecurity management.

Key Indian Updates

Digital Personal Data Protection Act, 2023 (DPDPA-2023)

SEBI’s Cybersecurity Framework for Regulated Entities

Indian Developments:

1. Digital Personal Data Protection Act, 2023 (DPDPA-2023): Enacted on August 11, 2023, this act governs the processing of digital personal data in India. It outlines obligations for data fiduciaries, rights for data principals, and establishes the Data Protection Board of India to adjudicate disputes. The act emphasizes consent, data minimization, and imposes penalties for non-compliance.
2. SEBI's Cybersecurity Framework for Regulated Entities: On August 21, 2024, the Securities and Exchange Board of India (SEBI) introduced a new cybersecurity framework for regulated entities, effective from January 2025. It requires entities to establish Security Operation Centres (SOCs) for continuous monitoring and mandates regular cybersecurity audits. For smaller entities, SEBI has facilitated market SOCs through stock exchanges like NSE and BSE to assist in compliance.

Challenges and Industry Responses

• The lack of harmonization among regulations leads to operational complexity.
• Organizations face challenges in navigating different reporting timelines and standards.
• Reference: Companies Grapple with Expanding Cyber Rules (WSJ)

Industry Responses and Challenges:

Organizations are grappling with the complexities of these expanding cyber regulations. The lack of harmonization among various regulatory requirements poses significant compliance challenges. For instance, companies must navigate differing incident reporting timelines and standards across jurisdictions, leading to increased operational burdens.

WSJ

Advisories and Recommendations:

• Enhancing Cybersecurity Measures: Organizations are advised to implement robust cybersecurity practices, including zero-trust architectures, multi-factor authentication, and regular system updates. Employee education on cybersecurity is also crucial to mitigate human error, a common factor in breaches.
• Proactive Risk Management: Companies should conduct regular security audits, develop comprehensive incident response plans, and consider cyber insurance to manage potential financial losses from cyber incidents.
• Regulatory Compliance: Staying informed about the latest regulatory requirements and ensuring timely compliance is essential. This includes understanding the specific obligations under laws like the DPDPA-2023 and SEBI's cybersecurity framework in India.

In conclusion, the cybersecurity and GRC landscape is rapidly evolving, with significant regulatory developments both globally and in India. Organizations must remain vigilant and proactive in adapting to these changes to ensure compliance and safeguard against cyber threats.

Recommendations

Enhance Cybersecurity Measures: Implement zero-trust architectures, MFA, and employee training.

• Reference: FT Cybersecurity Insights

Proactive Risk Management: Regular security audits and cyber insurance can mitigate financial risks.

• Reference: Reuters on Cyber Insurance

1. Compliance Readiness: Stay updated with local and global regulatory standards for seamless alignment.

• Reference: DPDPA (Wikipedia)

Conclusion

As laws and regulatory definitions shift, organizations must remain vigilant and proactive in adapting to new requirements. The future demands a balance between innovation and robust compliance to mitigate evolving cyber risks.