What Cybersecurity Requirements US Companies Should Follow In 2024
There are several key cybersecurity regulations and requirements that US companies need to comply with at both the federal and state levels:
Federal Regulations
- HIPAA (Health Insurance Portability and Accountability Act): Applies to healthcare providers and organizations handling protected health information (PHI). It requires safeguarding patient data[1][2].
- GLBA (Gramm-Leach-Bliley Act): Regulates the collection and handling of financial information. Companies collecting or storing financial data must comply[1][2].
- PCI DSS (Payment Card Industry Data Security Standard): Security standards for companies processing, storing or transmitting credit card data. As of March 2024, version 4.0 is mandatory, requiring multi-factor authentication[2][3].
- FISMA (Federal Information Security Modernization Act): Requires government agencies to protect information systems. MSPs serving government clients need to align with FISMA, updated in 2023 to improve coordination[2][3].
- SEC Incident Disclosure Regulations: As of Dec 2023, publicly traded companies must report material cybersecurity incidents within 4 business days[3].
Selected State Regulations
- California Consumer Privacy Act (CCPA): Protects personal information of CA residents. Applies to companies engaging with CA residents, not just those based in CA[2][3]. New CCPA regulations expected in 2024 cover cybersecurity audits, risk assessments, and automated decision-making technology[4].
- NY DFS Cybersecurity Regulation: Applies to financial services companies licensed by NY Dept of Financial Services. Requires risk assessments, cybersecurity policies, CISO reporting, encryption, incident response plans, etc. with phased implementation through 2025[5].
- Massachusetts Data Privacy & Security Regulations: The MA Office of Consumer Affairs & Business Regulation urges all licensees to develop, implement and regularly test cybersecurity plans. Recommends following DHS guidelines[6].
Why Compliance Matters
Key reasons all US companies should prioritize cybersecurity compliance[2][7][8]:
- Avoid costly data breaches, which averaged $3.86M in 2020.
- Maintain customer trust. 67% of companies saw significant loss of trust after a breach.
- Prevent hefty non-compliance fines, such as up to $7,500 per record for CCPA violations.
- Mitigate cyber risks, as 77% say they couldn’t recover from a major attack.
In summary, cybersecurity compliance through a formal program is essential for all US businesses to protect data, finances, reputation and operations amid increasing threats and stricter regulations at both state and federal levels. The specific requirements depend on industry, location, and types of data handled.
Citations:
[1] https://www.itgovernanceusa.com/federal-cybersecurity-and-privacy-laws
[2] https://www.upguard.com/blog/cybersecurity-regulations-by-industry
[3] https://www.connectwise.com/blog/cybersecurity/cybersecurity-laws-and-legislation
[4] https://www.jonesday.com/en/insights/2024/02/california-privacy-a-deeper-dive-into-the-new-regulations-expected-in-2024
[5] https://www.dfs.ny.gov/system/files/documents/2023/11/cybersecurity_implementation_timeline_covered_entities.pdf
[6] https://www.mass.gov/data-privacy-and-cybersecurity
[7] https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa
[8] https://trinware.com/compliance/brief-guide-to-us-cybersecurity-regulations-by-industry/