As we look forward to next year, leading assessments indicate that organizations will become increasingly vulnerable to a variety of potential risks. These risks can be either digital or physical in nature, ranging from targeted cyberattacks on critical infrastructure to extreme weather events that create large-scale disruptions across whole areas or regions.
Organizations that proactively address these interconnected threats with robust resilience programs are more prepared to mitigate the negative consequences when such risks materialize. If your organization lacks adequate preparedness, it can result in significant financial loss, damage to your organization’s overall market perception and brand equity, and reputational loss among current customers, potential customers, and industry partners.
To encourage organizations across every industry to adopt such programs, many local, national, and international regulatory agencies have passed new laws or amendments to existing laws in recent years that will take effect during 2025. Additionally, the same agencies are actively debating proposals for new laws or other guidelines — some of which are currently open for public comment — which, if they are finalized and adopted relatively soon, could potentially take effect during 2025 as well, if not shortly thereafter. Regulations like these are part of a coordinated response to a heightened risk environment, designed to help organizations like yours to elevate their overall business resilience.
The positive benefits of improved resilience should be reason enough to motivate compliance. But as the number of regulations affecting your organization goes up, so too does your regulatory risk. If your organization fails to comply with a new regulation in a timely manner, you’ll have to contend with the penalties laid out in its enforcement provisions, which can include steep fines and reputational setbacks among regulators that can lead to increased regulatory scrutiny in the future.
To help you stay compliant in 2025, let’s take a brief look at four adopted and potential regulatory changes for the coming year that may affect your organization, and how you can best address them.
Cyber Security Legislative Package 2024 [AU]
On November 25 of this year, the Australian Parliament passed a series of cybersecurity bills collectively referred to as the Cyber Security Legislative Package 2024. The package includes:
Cyber Security Bill 2024
This Bill imposes mandatory security standards for internet- or network-connectable smart devices, implements reporting requirements for certain types of businesses when they make extortion payments following a ransomware attack, sets new limitations on how information about cybersecurity incidents provided to the National Cyber Security Coordinator can be shared with and used by other government entities, and establishes a Cyber Incident Review Board to conduct reviews following significant cybersecurity incidents
Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024
This Bill which amends the Intelligence Services Act 2001 to create a limited use obligation that protects information provided to, acquired by, or prepared by the Australian Signals Directorate (ASD) during an ongoing or potential cybersecurity incident, and amends the Freedom of Information Act 1982 to exempt certain documents given to or received by the National Cyber Security Coordinator from Freedom of Information requests
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024
This Bill amends the Security of Critical Infrastructure Act 2018 (SOCI) to regulate data storage systems containing business critical data in the same manner as critical infrastructure assets, expands the types of incidents about which the government can gather information to provide assistance during or in anticipation of incidents impacting critical infrastructure assets, redefines the term “protected information” to broaden its scope and clarify its use and disclosure, and empowers regulators to enforce critical infrastructure risk management obligations
The overall goal of the package was to address multiple gaps in existing cybersecurity legislation and help the Australian government align the nation’s cybersecurity protocols more closely with international best practices. To that effect, most of the regulatory changes within the package are designed to protect organizations’ sensitive information by amending the standards by which the government can acquire and share it, even as they work to manage fallout from critical infrastructure-relevant events and review those events for key learnings that could potentially inform future regulatory improvements.
However, organizations within its jurisdiction also have new requirements to fulfill if they wish to stay compliant. Any resilience solution they use will need to flexibly adapt to new reporting standards (e.g. extortion payments following ransomware attacks), and in the case of the amendments to SOCI, meet a host of requirements across multiple areas of resilience including critical infrastructure management, risk management, incident management, and more.
Digital Operational Resilience Act (DORA) [EU]
The Digital Operational Resilience Act (or DORA) is a binding EU regulation designed to limit cybersecurity risk and mitigate disruptions within the financial sector by strengthening standards for digital operational resilience. Although it was officially adopted on December 14, 2022, its directives will apply to all affected financial institutions within EU member states beginning on January 17, 2025.
Among its many provisions, DORA pays special attention to the increased concentration of third-party providers (TPP) offering information and communications technologies (ICT) services. It instructs institutions to set protocols in place for internal governance and control frameworks for ICT risk management, documentation, monitoring, mechanisms for detecting anomalous activities, business continuity, risk containment, recovery, and repair.
If your organization is a financial institution in an EU member state to which DORA applies, such as a credit institution, payment institution, e-money institution, investment firm, crypto-asset service provider, central securities depository, manager of alternative investment funds, UCITS management company, administrator of critical benchmarks, crowdfunding service provider, or an ICT third-party service provider, you’ve likely been preparing throughout this year to meet its digital operational resilience standards by January 17, 2025.
But be aware that as of that date, your organization’s compliance with DORA will be subject to assessment by a Lead Overseer — and should noncompliance be determined, that Overseer may impose daily periodic penalty payments until your organization makes the necessary changes to resume compliance.
Terrorism (Protection of Premises) Bill (a.k.a. “Martyn’s Law”) [UK]
In the past seven years, the UK experienced at least 15 domestic terror attacks at public venues and in other public spaces. The most well-known of these was the bombing at AO Arena (formerly Manchester Arena) on May 22, 2017, which killed 22 people and injured over 1,000 others. By the government’s estimate, UK agencies and law enforcement disrupted at least 39 late-stage domestic terror plots during the same period of time.
This unfortunate trend wasn’t the only factor that prompted the government to acknowledge the need for improved protective security and operational preparedness regulations. The inquiry that followed the incident at Manchester Arena made a direct recommendation for regulatory reform, and in 2023, the assessment issued as part of the government’s updated counter-terrorism strategy (CONTEST) labelled the threat level from terrorism in the UK as “substantial,” deeming future attacks “likely.”
In response, the Terrorism (Protection of Premises) Bill — or Martyn’s Law — was introduced in the House of Commons on September 12, 2024. Martyn’s Law is a counter-terrorism bill that increases the operational safety and security standards by which UK venues must run, especially when holding events that are open to all or some of the public.
UK venues that fall under the jurisdiction of Martyn’s Law must register with the government, contingent on the regular completion of terrorism risk assessments, and must notify regulators when they seek to hold a qualifying public event. Those responsible for the venue’s operational safety and security must provide counter-terrorism training for its workers. Should an act of terrorism occur, the venue must also have established protocols for alerting emergency services and affected members of the public, evacuating the premises safely and securely, bringing necessary personnel into the venue safely and securely, and securing the venue’s physical space.
The goal of Martyn’s Law is to enhance the operational safety and security of public spaces, but more importantly, should the worst happen, to mitigate the negative consequences of a terror event. And as you may expect, compliance with Martyn’s Law is also enforced through a series of penalties ranging from monetary penalties for lesser infractions to a potential shutdown of a venue or event for more serious or persistent cases of noncompliance.
Health Infrastructure Security and Accountability Act (HISAA) [US]
In February of this year, a subsidiary of a major health insurance company in the United States experienced a ransomware cyberattack from a Russia-based gang that claimed to have stolen more than six terabytes of data including medical records containing “sensitive” data. In response, the insurer reportedly made a payment of $22 million to the gang in order to restore their systems, but operations at hospitals and pharmacies were either partially or completely offline for more than a week.
The fallout of this event reverberated throughout the larger US healthcare system. While this ransomware cyberattack was of a relatively high order of magnitude, it’s also emblematic of an increasingly common trend among health care companies. And in response to this growing threat, a bill designed to strengthen health information security standards called the Health Infrastructure Security and Accountability Act (HISAA) was introduced in the US Senate on September 25.
HISAA amends sections of the Social Security Act — specifically, Title XI and Title XVIII — to establish new minimum security risk management standards by which all healthcare information systems and their business associates must operate, and enhanced security risk management standards for systems (and their respective associates) deemed to be either “of systemic importance” or “important to national security.”
New security risk management standards laid out in the bill include performing a cybersecurity risk analysis, establishing and stress testing an operational resilience plan in the event of disruption or other failure, and submitting documentation attesting to the completion of these requirements. Additionally, affected systems will be responsible for performing annual security compliance audits, the results of which will be reported to the Department of Health & Human Services (HHS). The Secretary of HHS must also complete their own audit of data security practices for at least 20 entities (or their associates) deemed to be of similar systemic importance. Both civil and criminal penalties for noncompliance with any of these requirements are laid out in the bill as well.
HISAA also contains a separate series of protocols for cybersecurity incidents affecting Medicare-eligible hospitals and critical access hospitals, including essential and enhanced cybersecurity practices and associated reporting requirements. Penalties for failure to comply with these standards by adopting safe cybersecurity practices include significant payment reductions. However, hospitals that do adopt enhanced cybersecurity practices could be eligible for accelerated and advance payments in the event that a cybersecurity incident occurs.
Next steps
Organizations remain vulnerable to a host of potential risks, and based on available assessments, will only be more susceptible in 2025. As a result, there has been an increase in the regulatory burden for these entities, which places a higher level of scrutiny on those stakeholders responsible for their security.
And as always, your organization must stay up to date to maintain strict compliance with the always-changing regulatory landscape. Despite the pace of change, ignorance of new or changing regulations is no excuse for a lapse in compliance.
Regulations that take effect in 2025 reach into many areas of business resilience, including operational risk management, third-party risk management, operational resilience, business continuity, and security management. The most effective way to meet the varied needs for compliance in all of these areas — and prepare to meet future regulatory obligations as new laws are enacted in the future — is with fully integrated resilience software that’s easy to customize, so your organization can flexibly adjust to changes in the regulatory environment and stay compliant. Noggin can deliver just that.
But seeing is believing — request a demo of Noggin and see for yourself.
.svg)
.svg)
.svg)