Cybersecurity compliance remains a challenge in the face of new regulations

A recent report published by Swimlane highlighted the ongoing challenges organizations face in cybersecurity compliance amid the rapid increase in new regulations. The report, titled “Regulation vs. Reality: Are Fed Attempts to Disclose Litigation Incidents Effective?” examines how these new regulatory measures impact security budgets and compliance strategies.

The findings show that as many as 93% of organizations have rethought their cybersecurity strategies over the last year due to the introduction of new regulations. Notably, 58% of these organizations have completely changed their overall approach. In response to these regulatory changes, 92% of organizations reported increases in their allocated budgets, with some even seeing budget increases of 50% or more.

Despite these changes, only 40% of organizations feel fully prepared to meet new compliance requirements. This uncertainty persists, with 19% saying their organizations have done very little to meet regulatory requirements. The report highlights the need for comprehensive investment in resources, tools and staff to achieve full compliance.

The report was created in the wake of significant developments, such as the U.S. Securities and Exchange Commission’s new cybersecurity incident disclosure rules and the EU’s Cyber ​​Resilience Act (CRA). The study, which surveyed 500 enterprise cybersecurity decision-makers in the United States and the United Kingdom, aimed to understand the impact of the changing regulatory environment on cybersecurity strategies and budgets.

Michael Lyborg, Swimlane’s chief information security officer, highlighted the changing landscape, stating that geopolitical turmoil and complex regulations have made cybersecurity a strategic imperative. He stressed that while regulations are forcing us to rethink strategies and increase budgets, challenges such as talent shortages and fragmented infrastructure remain significant obstacles. Lyborg suggested that organizations must strike a balance between leveraging human knowledge in complex situations and leveraging AI-powered automation tools for routine tasks to effectively achieve compliance and resilience.

One of the key findings related to incident reporting. Fifty-six percent of companies said they could report security incidents to investors, boards and regulators in just one to two business days. However, 45% of respondents reported an increase in incident reporting times over the past year, indicating potential delays in the incident disclosure process.

The report also examined the state of readiness for the adoption of the EU Cyber ​​Resilience Act – only one third of respondents expressed full confidence in their ability to meet the key requirements of this act. There was also significant consensus on the need to regulate AI, with 83% of respondents supporting regulatory oversight of the development and use of AI. Challenges in adopting or expanding the use of AI were most frequently cited as balancing data collection and analysis needs with compliance with data protection regulations and user trust.

Cody Cornell, co-founder and chief strategy officer of Swimlane, emphasized the urgency of implementing robust cybersecurity measures based on his experience working with government agencies. He noted a clear disconnect between the strategic changes organizations are making and their confidence in achieving full compliance, pointing out that a more holistic approach across technology, talent, training and streamlined workflows is necessary.

The study, conducted by Sapio Research, included interviews with cybersecurity decision-makers from large enterprises in the US and UK, conducted via online surveys in March and April 2024.

This report highlights the critical need to continually adapt and invest in cybersecurity practices to successfully navigate the changing regulatory landscape.