Navigating the 2024 Cybersecurity Laws and Regulations: A Guide for MSPs
Determining which cybersecurity regulations apply to your business depends on several factors, including your industry, geographic location, and where your clientele is based. Here are some key cybersecurity laws and industry regulations for Managed Service Providers (MSPs), including updates for 2024, categorized by region:
The United States
Health Insurance Portability and Accountability Act (HIPAA):
A federal law that protects patient health information. MSPs providing cloud hosting services to healthcare providers must comply with these regulations.
Federal Information Security Modernization Act (FISMA):
Requires federal agencies to protect their information systems against cyberattacks. Overhauled in 2023, FISMA now supports more effective cybersecurity methods and improved coordination among federal agencies. MSPs serving governmental bodies need to align their cybersecurity practices with FISMA.
Gramm-Leach-Bliley Act (GLBA):
Regulates the collection and handling of financial information. Organizations dealing with financial data must comply with GLBA.
Payment Card Industry Data Security Standard (PCI DSS):
Sets security standards for companies handling cardholder data. Version 4.0, mandatory as of March 31, 2024, requires multi-factor authentication for payment card data processing.
New York Department of Financial Services (NYDFS) Cybersecurity Regulation:
Expanding regulations that require stringent notification procedures for incidents like ransomware. These requirements emphasize leadership responsibility, vulnerability assessments, and incident response. Although currently applicable to New York, these regulations may influence other states.
Executive Order on Improving the Nation’s Cybersecurity:
Signed in 2021, it aims to modernize cybersecurity for federal institutions and improve public-private collaboration. Recent updates include mandatory regulations for critical infrastructure vendors and a proactive approach to combating ransomware.
NIST SP 800-53 Rev.5:
Guidelines from the National Institute of Standards and Technology for governmental cybersecurity. NIST Cybersecurity Framework version 2.0, published in February 2024, includes new governance and supply chain features. Resources are available for small businesses with limited cybersecurity plans.
Security and Exchange Commission (SEC) Incident Disclosure Regulations:
Effective December 18, 2023, publicly traded companies must report cybersecurity incidents within four business days of determining the incident’s materiality. This regulation increases the importance of having a well-practiced incident response plan.
California Consumer Privacy Act (CCPA):
Protects personal information of California residents, requiring companies to provide data access and control to customers. This law applies to any entity engaging with California residents.
The European Union
General Data Protection Regulation (GDPR):
Regulates the collection, storage, and processing of personal data in the EU. MSPs must comply with GDPR standards to avoid hefty fines.
The United Kingdom
Data Protection Act (DPA):
Regulates personal data handling, requiring organizations to inform customers about data practices and provide access to and deletion of data. Cyber Essentials certification is required for bidding on government contracts.
Network and Information Systems (NIS) Regulations and NIS2 Directive:
New regulations coming into effect on October 17, 2024, introduce stricter reporting requirements for data breaches and increased fines for non-compliance.
ASEAN/Oceania
ASEAN Cybersecurity Cooperation Strategy:
Adopts key principles of GDPR and DPA to protect personal data and ensure secure data storage and disposal.
Australia’s Essential Eight:
A set of mitigation strategies to protect businesses from cyber threats, focusing on Microsoft Windows-based networks but applicable to other platforms.
Security of Critical Infrastructure Act 2018 (SOCI):
Outlines obligations for companies managing critical infrastructure assets.
Cybersecurity Laws to Watch
EU Cyber Resilience Act (CRA):
As expected in Q3 2024, it mandates cybersecurity requirements for digital products throughout their lifecycle.
Digital Operational Resilience Act (DORA):
Effective January 17, 2025, DORA aims to enhance the cybersecurity and operational resilience of financial institutions.
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA):
Requires critical infrastructure providers to report cybersecurity incidents within 72 hours. Rules are expected to be published in 2024.
How MSPs Can Adapt to Regulatory Changes
- Adopt a Cybersecurity Framework: Align with standards like CIS Controls or NIST Cybersecurity Framework.
- Ongoing Training and Assessments: Conduct regular cybersecurity awareness training, inventory management, change management, and vulnerability assessments.
- Incident Response Plan: Develop and regularly test an incident response plan through tabletop exercises.
Cybersecurity Solutions to Tackle New Regulations
Partnering with an experienced MSP software provider can simplify regulatory compliance. Tools like ConnectWise’s professional service automation can handle reporting and administrative tasks, while their security operations center analysts can assist with more complex compliance needs.
Staying informed on the latest laws and leveraging the right tools and partnerships can help MSPs manage compliance effectively and enhance their service offerings.