In a world where cybersecurity threats are increasingly prevalent, the U.S. Securities and Exchange Commission (SEC) has taken a significant step towards ensuring transparency and accountability in how companies manage these risks. The SEC has adopted new rules requiring companies to disclose material cybersecurity incidents and provide annual updates on their cybersecurity risk management, strategy, and governance.

Australia is using the Security of Critical Infrastructure Act 2018 (SOCI Act 2018) as a framework to help the country mitigate and remediate threats to the country’s critical infrastructure. This comes after several high-profile cyber attacks raised Australia’s awareness of the need for cybersecurity and the standardization of cyber security measures for priority organizations.

The Massachusetts Data Security Law (201 CMR 17.00) safeguards the personal information of Massachusetts residents. The law went into effect on March 1, 2010, and at the time, was one of the most comprehensive data privacy laws passed in the United States. Since the law’s passing, a variety of U.S. States have passed more robust data privacy legislation, including the notable California Consumer Privacy Act (CCPA) and Virginia Consumer Data Privacy Act (VCDPA).

Washington’s My Health My Data Act (MHMD Act) regulates businesses and service providers that process or collect consumer health data from state residents. The act’s broad definition of “health data” carries compliance implications for a wide range of entities, including many that fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA).

Despite being the second-largest internet market in the world, India has yet to pass a comprehensive data privacy bill. It is important to have policies and regulations in place to protect them and their right to data privacy—a right that India’s Supreme Court recognized in 2017. Since then, the country’s government has been working towards passing a bill that codifies the rights of individuals to data privacy and protection.

In September 2019, California signed Senate Bill 327, also known as the California Internet of Things (IoT) Security Law. While not an extensively written piece of legislation like the California Consumer Privacy Act (CCPA), SB-327 took effect on January 1, 2020, and focuses on manufacturers of connected devices—requiring updated security standards that protect both devices and end-users. Learn how UpGuard can help your organization update security standards and monitor risk >

As the digital landscape evolves, so too does the regulatory environment. One of the latest pieces of legislation to impact organizations across the EU is the Network and Information Security 2 (NIS 2) Directive. This directive, aimed at enhancing cybersecurity across the Union, has far-reaching implications for a wide range of organizations, both within and outside the EU.

The General Data Protection Regulation (GDPR) is a set of privacy and security standards put into effect by the European Union (EU). Widely accepted as the world's strictest security and privacy law, GDPR imposes regulations on organizations that target or collect data relating to people in the EU. European Parliament signed GDPR into law in 2016, requiring all organizations to comply by May 2018.

The U.S. Securities and Exchange Commission (SEC) this week voted to adopt new rules for how companies inform investors about cybersecurity concerns. The vote comes after years of gradually increasing guidance and scrutiny over companies’ handling of cybersecurity events and follows a lengthy comment period where companies, including CrowdStrike, provided input.

What happened? The SEC (Securities and Exchange Commission) has introduced new rules that require public companies to be more transparent about their cybersecurity risks and any breaches they experience. This means companies will need to regularly share information about how they're managing cybersecurity risks and any significant cybersecurity incidents they've had. If a company experiences a significant cybersecurity incident, they'll need to report it within four business days.