US Cybersecurity Compliance Requirements by Industry

best practices for cyber security

Cybersecurity is important for all industries to protect sensitive information and customer data. Different industries have different regulations that they must meet depending on the types of data they use and store. Read on to learn about some of the cybersecurity regulations in a few regulated industries. 

Financial Cybersecurity Regulations and Compliance

The financial sector has a few cybersecurity requirements that are set by federal and state regulators. The most common set of requirements are the ones found in the Federal Financial Institution Examination Council handbook, or FFIEC-IT.

This body of rules is made up of a number of booklets that contain resources and requirements that financial institutions are expected to adhere to. There are also several different guidances that are put out by financial regulatory bodies.

An example of this is the Office of the Comptroller of Currency (OCC), which has put out guidance on third-party risk management. This guidance is given to all organizations that come under their jurisdiction.

Retail Cybersecurity Regulations and Compliance: PCI DSS

The retail sector isn’t federally regulated, but it does have regulations set by the Payment Card Industry Security Council’s Data Security Standard (or PCI DSS). This group issues security standards that must be followed by any organization that processes card payments or holds any payment card data, including all retailers making credit card transactions.

A failure to follow PCI DSS compliance may result in fines of anywhere from $5,000 to $100,000 from your credit card company per month, and you could also lose your merchant’s account at your bank.

Healthcare Cybersecurity Regulations and Compliance: HIPAA

The best known standard for cybersecurity compliance in healthcare is the Health Insurance Portability and Accountability Act. HIPAA establishes the cybersecurity standards for healthcare organizations, insurers, and third-party services providers that medical organizations work with.

This standard enforces protection for personal health information (PHI) that patients provide to their medical providers, both digitally and in other forms.

Department of Defense Cybersecurity Regulations and Compliance: DFARS and CMMC

Because of the sensitive information the Department of Defense holds relating to national security, as a condition of providing a service to the US Department of Defense (DOD), businesses in their supply chain are required to meet cyber requirements that have been set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures Guidance and Information (PGI).

DFARS outlines cybersecurity standards that third-party contractors must meet and comply with before doing business with the DOD in order to protect sensitive defense information. But in addition to DFARS, a new set of regulations called Cybersecurity Maturity Model Certification (CMMC) is currently being rolled out.

Because of the strict guidelines of these federally mandated requirements, many DoD contractors choose to work with a company specializing in IT services for DoD contractors in order to stay on top of changes and remain eligible for DoD contracts.

Consumer Data Cybersecurity Regulations and Compliance

Currently, 47 out of 50 states have enacted cybersecurity compliance requirements for organizations to notify states about security breaches that have compromised customer data.

For example, if your company stores sensitive personal information about customers, such as social security numbers, account numbers, or payment card information, and you experience a breach, you must notify the people affected. The Federal Trade Commission (FTC) can also penalize organizations who fail to adequately protect consumer data. 

Insurance Cybersecurity Regulations and Compliance

While regulations for insurance departments and companies can vary from state to state, many have laid out requirements to protect consumer information. There has also been increased interest in adding more regulations in this area.

The New York State Department of Financial Services (DFS) recently proposed new regulations around cybersecurity for both financial organizations and insurance companies. 

Energy Cybersecurity Regulations and Compliance

The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over a number of different electric utility companies and operators. The standards are created by a nonprofit authority called the North American Electric Reliability Corporation (NERC), and the regulations are known as the Critical Infrastructure Protection (CIP) Standards.

SME Paid Under