Regulatory Compliance Requirements: What You Need To Know

Regulatory compliance is essential for any business and can actually be financially rewarding by avoiding fines and finding vulnerable areas in your company.

What is regulatory compliance? Regulatory compliance are laws and regulations a company must follow to remain in good standing with specific agencies, governments, and customers. These compliance standards are specific to industries and location and can result in large penalties if not followed correctly.

How Does Regulatory Compliance Work?

In any industry, there are regulations, and organizations operating in those industries must comply with these regulations. Compliance can cover a variety of different practices, processes, and operations within an organization. An organization will likely have more than one area of compliance.

Some of the different kinds of compliance include the following: 

• Financial Compliance: Organizations must maintain fair, transparent financial records and refrain from unethical or illegal financial practices that harm stakeholders or consumers.

  Examples of such regulations are the Federal Deposit Insurance Corporation (FDIC) rules for consumer protection and the Sarbanes-Oxley Act (SOX) that requires financial reporting and transparency for corporations to mitigate fraud.

  Additionally, Service Organization Control 2 (SOC 2) compliance is an attestation to investors and insurers regarding the security of systems holding customer data. It is administered by the American Institute of Certified Public Accountants.

• Cybersecurity Compliance: Cybersecurity regulations focus on the security and privacy of data in IT systems, including regulations covering the implementation of encryption, firewall security, network controls, breach prevention, and remediation efforts.

  Many modern regulations include cybersecurity requirements,such as Health Insurance Portability and Accountability Act (HIPAA) regulations, the Federal Risk and Authorization Management Program (FedRAMP), and Payment Card Industry Data Security Standard (PCI DSS).

• Regulatory Compliance: This unique form of compliance emphasizes the legal obligations an organization faces as part of its operation. Regulations are a legal form of governance that is predicated on legislation and oversight, typically from a governmental or adjacent regulatory body.

  This form of regulation can often overlap with the others. Compliance usually includes financial, IT, reporting, and audit logging requirements in many cases.

Because there are significant overlaps between different types of regulations, it is essential to understand where such laws come from. For example, HIPAA is a regulatory requirement for all healthcare providers, insurance companies, and associated vendors instituted and administered by federal and local governments. HIPAA, however, contains several provisions for cybersecurity and financial protection.

Conversely, SOC 2, while containing several provisions governing data management, security, and privacy, is not a regulatory requirement. It is not governed by law and is not required as part of any industry standards.

What Are Some Regulatory Compliance Regulations?

Different industries will typically include unique regulations. Some regulations will transcend industry and apply to a wide swath of common organizational types.

Some of the common regulations include:

	Organizations Applies To	Organization Governed By	Areas of Coverage	Requirements
Health Insurance Portability and Accountability Act (HIPAA)	Covered entities (hospitals, doctors, insurance companies) and their business associates	Department of Health and Human Services (HHS)	Protecting Private Health Information (PHI) from unauthorized disclosure	Cybersecurity controls; physical and administrative privacy controls
Sarbanes-Oxley Act (SOX)	Publicly traded corporations	U.S. Securities and Exchange Commission (SEC)	Requiring transparency in corporate financial reporting	Corporations must implement security, transparency, and accountability into financial reporting to stakeholders and the government
General Data Protection Regulation (GDPR)	All businesses collecting consumer data in the European Union	The EU Information Commissioner’s Office (ICO)	Protecting consumer information in EU jurisdictions	Businesses must implement privacy, security, and consent controls to protect consumer data from disclosure or abuse
California Consumer Privacy Act (CCPA)*	Midsize and large businesses in California	California Privacy Protection Agency (CPPA)	Protecting consumer information in California jurisdictions	Businesses must implement privacy, security, and consent controls to protect consumer data from disclosure or abuse
Federal Risk and Authorization Management Program (FedRAMP)	Cloud service providers working with federal agencies	The Joint Authorization Board (JAB) and Program Management Office (PMO)	Securing cloud systems used by federal agencies through third-party vendors	CSPs must implement NIST 800-53 and other controls to meet minimum standards
Cybersecurity Maturity Model Certification (CMMC)	Digital contractors working with Department of Defense agencies	The Department of Defense	Securing defense-related IT systems in the DoD supply chain	Contractors must implement NIST 900-171 and NIST 800-172 controls to work in the supply chain

*As of January 1, 2022, the CCPA will be amended into the California Privacy Rights Act (CPRA) with expanded regulations and controls.

Additionally, several standards are not required or governed by law but apply specifically to either industry practices or optional adoption by a company:

	Organizations Applies To	Organization Governed By	Areas of Coverage	Requirements
Service Organization Control (SOC) 2	Any who adopt the standard	American Institute of Certified Public Accountants (AICPA)	Data security, privacy, confidentiality, and integrity	Organizations must meet minimum security and privacy standards and undergo regular audits
International Organization for Standardization (ISO) 27000 Series	Any who adopt the standard	International Organization for Standardization (ISO)	Data and IT infrastructure security	Organizations design, develop, implement, and maintain Information Security Management Systems (ISMS)
Payment Card Industry Data Security Standard (PCI DSS)	Retailers and merchants accepting credit card payments	Payment Card Industry (including credit card companies like Visa, Mastercard, American Express, etc.)	Credit card and payment information	Payment processors and merchants must implement security practices to secure payment information from theft

What Is Governance, Risk, and Compliance?

Regulations often fall under a larger umbrella of strategies and practices that businesses follow, generally known as governance, risk, and compliance.

GRC includes the following practices:

• Governance: Integrated strategies and capabilities around governing business practices, data management, and security. Governance includes high-level planning and execution of business processes and objectives.
• Risk: Risk assessment and management are the practice of measuring financial risks, security vulnerabilities, or other potential hazards and using that information to make decisions around cybersecurity, IT infrastructure, administration, and other business decisions.
• Compliance: Governance and risk practices must be used to fuel compliance now and into the future.

What Are Some of the Penalties for Noncompliance?

Compliance, often governed by law, can carry significant penalties. Even frameworks governed in the private sector can affect how a company does business.

Some potential penalties include the following: 

• Financial Penalties: Financial penalties range from smaller fees to crippling fines. HIPAA compliance requirements, for example, scale financial penalties based on the severity of the breach. GDPR, on the other hand, only allows for two different tiers of penalties, each containing significant financial obligations on the part of the noncompliant organization.

• Loss of Licensing or Authorization: Some frameworks, like FedRAMP or CMMC, come with a baseline loss of certification for severe noncompliance. Here, organizations can no longer only operate in their industry.

• Legal Liability: If noncompliance leads to severe harm to an organization or individuals, organizations may find themselves legally liable. HIPAA contains several tiers of legal penalties, including jail time, for severe breaches or in cases of fraud.

• Impact on Business Operations: Some non-government regulations, like PCI DSS, work because the governing body can control how companies function in a business market.

  For example, if a merchant fails to comply with PCI DSS, there is not a default legal repercussion. Instead, the PCI (made up of all the major credit card providers like Visa, Discover, American Express, Mastercard, etc.) can levy fines for continued use of the credit card payment networks.

  Continuing noncompliance can force the PCI to label merchants with a negative rating, including higher fees and limited payment processing capabilities.

  Finally, the PCI can simply close a merchant’s account and make processing payments impossible.

Operationalize Regulatory Compliance

Regulatory compliance is a significant part of any business and must play a role in business strategy and IT infrastructure. Any company operating in regulated industries with standards must use technology to support regulations.

Sensitive content communications is involved in virtually every compliance regulation, and organizations must ensure they have the right policy controls and security processes in place. Learn how Kiteworks unifies, tracks, controls, and secures critical data as it moves into, within, and out of an organization for compliance across myriad regulations, such as HIPAA, PCI DSS, FedRAMP, and others, by scheduling a custom demo.

 

Back to Risk & Compliance Glossary