We’ve all been there – creating short- or long-term plans to achieve certain personal goals. However, business planning often comes with even higher stakes, and the consequences of an ill-thought-out plan can be far-reaching and span monetary loss, reputational damage and even bankruptcy. As businesses swing towards an age of increasingly comprehensive regulatory requirements to strengthen supply chains and operational resilience, the challenges go beyond market dynamics.

On the security front, with regulations such as the GDPR in the EU and CCPA and CPRA in the US, or NIST’s cybersecurity framework, the protection of user data has never been more central to risk management. Indeed, as we move further into an age of AI-driven innovation and public data proliferation, expect more regulations designed to protect consumers and hold organizations accountable for safeguarding sensitive information. To become and stay compliant, businesses will need to implement stronger data protection measures, paired with enhanced monitoring and reporting.

Compliance – a reasonable request

Each cyber-regulatory framework has its own specific requirements, but they all share a common goal – to protect data by safeguarding it against unauthorized access, as well as exfiltration and misuse. The stakes are particularly high when it comes to data such as people’s banking and health information, and companies’ intellectual property.

Due to the rather complex nature of regulations, every single business has to ensure that they understand and know how to fulfill their obligations. However, these obligations can differ wildly, depending on the business vertical and the organization’s clients and partners, as well as the scope of its operations and geographic location.

To learn more about how your organization can be compliant with specific regulations, head over to ESET's Cybersecurity Compliance for Business page.

Achieving compliance can, therefore, be a daunting task. It certainly isn’t just a legal checkbox, however – it's a crucial investment for the long-term health of a business. Yet, many organizations, especially small and medium-sized ones, are not adequately prepared to address cybersecurity risks and meet regulatory requirements.

Simply put, when cyberthreats loom large, the objective consequences of low preparedness, or the illusion of security, can have devastating consequences. This is borne out by figures: according to the IBM Cost of a Data Breach Report 2024, the average cost of a breach globally stands at US$4.88 million.

Missing the point

To underline why compliance is essential, let’s discuss some major incidents that could have been significantly mitigated had the impacted parties acted in accordance with basic frameworks.

The Intercontinental Exchange

In 2024, the Intercontinental Exchange (ICE), a financial institution more known for its subsidiaries such as the New York Stock Exchange (NYSE), was fined US$10 million for neglecting to timely inform the US Securities and Exchange Commission (SEC) of a cyber-intrusion, thus violating Regulation SCI.

The incident involved an unknown vulnerability in ICE’s virtual private network (VPN) device, which enabled malicious actors access to internal corporate networks. The SEC found that despite knowing about the intrusion, ICE officials failed to notify the legal and compliance officials of their subsidiaries for several days. Thus, ICE violated its own internal cyber-incident reporting procedures, leaving the subsidiaries to improperly assess the intrusion, which ultimately led to the organization’s failure to fulfill its independent regulatory disclosure obligations.

SolarWinds

SolarWinds is a US company that develops software to manage business IT infrastructure. In 2020, it was reported that a number of government agencies and major corporations had been breached through SolarWinds’s Orion software. The "SUNBURST" incident has become one of the most notorious supply-chain attacks with a global impact – the litany of victims included large corporations and governments, including the US Departments of Health, Treasury, and State. The complaint by the US Securities and Exchange Commission (SEC) alleges that the software company had misled investors about its cybersecurity practices and known risks.

To be clear, before the SEC introduced its Rules on Cybersecurity Risk Management for “material” incidents in 2023, timely and accurate reporting had not been a major strategic consideration for many organizations in the US. That is unless we discuss regular risk assessment reporting that needs to take place as part of a strong cybersecurity strategy (or for compliance purposes with specific standards). It is largely up to businesses how they devise their security reporting hierarchy with varying degrees of competence and responsibility (which SolarWinds violated as per the SEC).

The financial and reputational fallout of the breach was staggering. With more than 18,000 victims, and costs potentially climbing into millions of dollars per impacted business, this case underscores that neglecting security and compliance is not a cost-saving strategy – it’s a liability.

Yahoo

In another cautionary tale, Yahoo came under fire for failing to disclose a breach from 2014, costing the company US$35 million in an SEC fine. However, the story doesn’t end there as the subsequent class-action lawsuit added US$117.5 million to Yahoo’s tab, covering settlement costs paid to the victims. This came after the discovery of leaked credentials belonging to 500 million Yahoo users. Worse still, the company concealed the breach, misleading investors and delaying disclosure for two years.

Compounding things further, Yahoo suffered a second breach a year prior that affected an additional 3 billion user accounts. Again, the company didn’t disclose the second incident until 2016, before revising the disclosure in 2017 to reflect the full scale of the incident.

Transparent and timely disclosures of breaches can help mitigate the damage and prevent similar incidents in the future. The victims can, for example, change their login credentials in time to stop any potential miscreant from breaking into their accounts.

5 steps to compliance

Let’s discuss a few simple measures that any business aiming to stay compliant can take up. Consider it a baseline of action, with further improvements based on the specific regulations and requirements that need to be established according to specific asks.

  • Understand your business: As mentioned earlier, businesses face varying compliance requirements, based on their industry vertical, clients/partners they work with, the data they handle, as well as the locations they operate in. All these might have different requirements, so pay attention to the specifics.
  • Investigate and prioritize: Determine which standards your business needs to comply with, find out the gaps that need to be filled, and define the measures to close those gaps, based on the most important regulations and standards the business has to fulfill in order to avoid breaches or fines.
  • Create a reporting system: Develop a robust reporting system that defines the roles and responsibilities of everyone involved, from top executives to employees in communication, and security personnel who manage and oversee your protective measures. Also, ensure there’s a clear process for reporting security incidents and that information can flow seamlessly to the relevant stakeholders, including regulators or insurers if necessary.
  • Monitor: Compliance is not a one-time effort – it’s an ongoing process. As part of continuous reporting, regularly monitor compliance measures and address areas that require attention. This includes checking systems for vulnerabilities, performing regular risk assessments, and reviewing security protocols so that your business adheres to evolving regulatory standards.
  • Stay transparent: If a breach is discovered, immediately assess the damage and report it to the appropriate authority – the insurance provider, regulator, and of course, the victims. As evidenced above, timely disclosure can help mitigate damage, reduce the risk of further breaches, and demonstrate your commitment to compliance, ultimately helping you maintain trust with customers, partners, and stakeholders.

These five steps provide a baseline for achieving cybersecurity compliance. While guidelines of this kind are broadly applicable, remember that each business may face some unique challenges. Reach out to relevant authorities to learn about the latest requirements, ensuring your compliance efforts are aligned with evolving expectations from governments, partners, and regulatory bodies. By understanding the specific requirements for your organization and industry, you can take the first step to navigating these complexities more effectively and ensuring that your business remains secure, compliant, and resilient in the face of cyberthreats.