Cybersecurity compliance remains a challenge amid new regulations

A recent report released by Swimlane has highlighted the ongoing challenges faced by organisations in the realm of cybersecurity compliance amid a rapid surge in new regulations. The report, titled "Regulation vs. Reality: Are the Fed's Attempts at Wrangling Incident Disclosure Effective?", examines how these new regulatory measures are influencing security budgets and compliance strategies.

According to the findings, a significant 93% of organisations have rethought their cybersecurity strategies over the past year due to the introduction of new regulations. Notably, 58% of these organisations have completely reconsidered their overall approach. In response to these regulatory shifts, 92% of organisations have reported increases in their allocated budgets, with some even experiencing budget hikes of up to 50% or more.

Despite these changes, only 40% of organisations feel fully prepared to meet the new compliance demands. This uncertainty continues to persist, with 19% claiming their organisations have done very little to meet the regulatory requirements. The report highlights the need for comprehensive investments in resources, tools, and personnel to achieve full compliance.

The report was conducted amid significant developments such as the US Securities and Exchange Commission's new rules on cybersecurity incident disclosure and the European Union's Cyber Resilience Act (CRA). The research, which surveyed 500 cybersecurity decision-makers at enterprises in the United States and the United Kingdom, aimed to understand the impact of the shifting regulatory landscape on cybersecurity strategies and budgets.

Michael Lyborg, Chief Information Security Officer at Swimlane, remarked on the changing landscape, stating that geopolitical turmoil and complex regulations have made cybersecurity a strategic imperative. He emphasised that while regulations are driving the rethinking of strategies and increasing budgets, challenges such as a talent shortage and fragmented infrastructure remain significant hurdles. Lyborg suggested that organisations must strike a balance between leveraging human expertise for complex situations and using AI-enhanced automation tools for routine tasks to achieve compliance and resilience effectively.

One of the key findings was in the area of incident reporting. Fifty-six percent of companies asserted they could report security incidents to investors, boards, and regulators within just one to two business days. However, 45% of respondents reported increased reporting times over the past year, indicating potential delays in the incident disclosure process.

The report also explored the preparedness for the EU's Cyber Resilience Act, with only one-third of respondents expressing full confidence in their ability to meet the Act's key requirements. There was also a considerable consensus on the need for AI regulation, with 83% of respondents favouring regulatory oversight on AI development and use. Challenges in adopting or expanding AI utilisation were most often cited as balancing data collection and analysis needs with maintaining adherence to data privacy regulations and user trust.

Cody Cornell, co-founder and chief strategy officer of Swimlane, underscored the urgency of robust cybersecurity measures, drawing on his experience working with government agencies. He noted a clear disconnect between the strategic changes organisations are making and their confidence in achieving full compliance, indicating that a more holistic approach encompassing technology, talent, training, and streamlined workflows is essential.

The survey, conducted by Sapio Research, involved interviews with cybersecurity decision-makers from large enterprises in the US and UK, carried out via online surveys in March and April 2024.

This report underscores the critical need for ongoing adaptation and investment in cybersecurity practices to navigate the evolving regulatory landscape effectively.