Regulatory Compliance

The compliance requirements of different industry and government standards can demand a high degree of effort from organizations and, in many cases, pose a great challenge. Due to the complexity involved, organizations often limit themselves to meeting the requirement without considering the real underlying purpose.

All regulations emphasize the importance of including people when managing risk. Therefore, it is essential to have solutions focused on the human element.

Kymatio offers a cybersecurity awareness program focused on people and fully automated, which provides insights and risk reports about the human factor, as well as the evolution of awareness and alertness levels, based on real organizational data to meet global information security regulations.

ISO/IEC 27001 and 27002

Key elements of the ISO 27001 security standard include section A.7.2.2, related to information security awareness, education, and training. It requires that all employees and relevant contractors receive proper education and awareness training to perform their jobs correctly and securely, as well as regular updates on organizational policies and procedures, including a clear understanding of the applicable legislation affecting their roles.

CobiT

CobiT clearly references the need for staff training, providing employees with proper guidance and ongoing training to maintain their knowledge, skills, internal controls, and security awareness at the required level to achieve organizational goals. It also emphasizes the need to ensure user compliance with policies and procedures, and that employees should be trained on ethical conduct and security awareness practices.

EIOPA

In its latest revision (October 2020), EIOPA introduced guidelines on governance and security of information and communication technologies (ICT), addressing ICT and security risk management, ICT within the governance system and strategy, and guidelines for the information security function. Multiple sections refer to the need to incorporate human cyber risk, not only as an awareness line, but as a risk system that considers human cyber risk.

ENS

The purpose of the National Security Scheme (ENS) is to establish security policies for the use of electronic media, comprising basic principles and minimum requirements for adequate information protection. Security must be an integral process, involving all human, technical, organizational, and material elements related to the system. Special emphasis is placed on people's awareness.

Risk management is a fundamental aspect of the security process and must be continuously updated. Proper risk management helps keep the environment controlled, reducing risks to acceptable levels.

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) refers to the need to implement a formal security awareness program to ensure all staff are aware of the importance of cardholder data security. It requires staff to be trained immediately upon hiring and at least annually, to make an annual statement acknowledging they have read and understood the company's security policy and procedures, to screen potential staff before hiring, and to train them properly on security breach response responsibilities.

European Banking Authority (EBA)

The EBA highlights the classification and risk assessment requirements that institutions must meet regarding criticality, considering at minimum the requirements of confidentiality, integrity, and availability. The focus is on risk mitigation, based on risk assessments, and implementing measures to mitigate security and ICT risks. Special emphasis is placed on information security training and awareness, requiring financial institutions to establish a training program—including regular security awareness programs—for all staff and contractors to reduce human error, theft, fraud, misuse, or loss, and address information security risks.

NISTIR 8286A: Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM)

This document complements NIST Interagency/Internal Report 8286 by providing additional details regarding risk guidance, identification, and analysis. It describes scenarios based on the potential impact of threats and vulnerabilities on company assets and documents the probability and impact of various threat events using cybersecurity risk logs integrated into enterprise risk profiles.

A specific reference is made to:

PR.AT Awareness and Training:

• All personnel have been trained in physical and information security practices.
• Internal users may fall victim to phishing attacks due to insufficient training.

Health Insurance Portability & Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created to protect millions of US workers and their families with medical conditions. Among its primary requirements is implementing a security awareness and training program for all members of the workforce (including management).

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is a framework designed to protect the US government from cybersecurity attacks and natural disasters that put sensitive data at risk. It requires obtaining cybersecurity awareness and training and informing all personnel, including contractors and users of information systems that support agency operations, of the information security risks related to their activities and their responsibilities in complying with policies and procedures.

FACTA – FTC Red Flags Rule

The Fair and Accurate Credit Transaction Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) and includes the Red Flags Rule, implemented in 2008. The rule requires financial institutions and creditors to implement "red flags" to detect and prevent identity theft. Institutions must have a written Identity Theft Prevention Program (ITPP). Employees should be trained to recognize various red flags and other relevant aspects of the organization's identity theft prevention program.

Gramm-Leach Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires agencies and authorities to establish appropriate standards for financial institutions, including administrative, technical, and physical safeguards:

• Ensure the security and confidentiality of customer records and information;
• Protect against anticipated threats or hazards to the security or integrity of such records;
• Protect against unauthorized access or use of such records or information that could result in substantial harm or inconvenience to any customer.

Sarbanes-Oxley (SOX)

The SOX Law regulates various controls in the United States to improve the quality of financial information, focusing on accounting standards, internal control, corporate governance, audit independence, and increased penalties for financial crimes.

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard

The NERC Critical Infrastructure Protection Standard requires that the Responsible Entity establish, document, implement, and maintain a security awareness program to ensure that personnel with authorized cyber or physical access to Critical Cyber Assets receive continued reinforcement in sound security practices.

The program should include at least quarterly security awareness reinforcement using mechanisms such as:

• Direct communications (e.g., emails, memos, computer training)
• Indirect communications (e.g., posters, intranet, brochures)
• Support and reinforcement from management (e.g., presentations, meetings)

US State Privacy Laws

Several US states have individual privacy laws. Notable examples include:

• Texas Health Privacy Law: H.B. No. 300 § 181.101 requires employees to be trained in both state law and HIPAA. Penalties are as high as those for HIPAA violations.
• Massachusetts Data Security Law: 201 CMR 17.03 requires training to maintain a comprehensive information security program.
• Federal Guidelines for the Sentencing of Organizations
• SEC Cybersecurity Examination Initiative Guidance

Basel III

Basel III is a set of internationally agreed measures developed by the Basel Committee on Banking Supervision in response to the 2007–09 financial crisis. Its aim is to strengthen the regulation, supervision, and risk management of banks.

Solvency II

The regulatory framework of the Solvency II directive helps better understand the risks of the insurance sector as a whole in an increasingly complex, globalized world, with larger and closely interconnected risks.