top of page


"blogger, InfoSec specialist, super hero ... and all round good guy" 



5 Critical Regulations for Cyber Security Compliance

Cyber security compliance is more important than ever. With new technologies and digital connections happening every day, small and medium-sized businesses (SMBs) must properly comply with cyber security regulations across the board. Which ones, though, should you focus on the most?

You’ll find that compliance in the United States will vary by state and industry. Some regulations, however, are overarching laws that all businesses in any industry must follow. That way, they can protect themselves from cyber threats and protect sensitive customer information as well.

The following regulations are essential for protection in the modern world.


The Payment Card Industry Digital Security Standard (PCI DSS) applies to any organization that accepts credit cards as a form of payment. As the pandemic increased U.S. e-commerce by about $175 billion in 2020, more businesses than ever are working with credit cards.

This standard helps companies protect themselves and their customers against any sort of cybercriminal activity including breaches, hacks and theft. It mandates that businesses have firewalls, encryption and safeguards in place to protect confidential financial information during transactions of any sort.

In addition, the standard emphasizes the need to secure public networks as they can be a place for criminal infiltration. From there, companies can restrict access to the credit card information, securing it further.

2. CCPA & 23 NYCRR 500

The California Consumer Privacy Act (CCPA) and the 23 NYCRR 500 from the New York Depart of Financial Services (NYDFS) are two separate cyber security compliance regulations. However, they both take a similar approach to security.

Since the U.S. doesn’t have an overarching federal cyber security law, states take it into their own hands to create regulations. Thus, California and New York both put an emphasis on risk assessment, transparency and protections in these laws.

For California, the act states that residents have a right to allow or deny the way companies use their private information. In New York, the rule states that businesses must enact strong cyber security programs.

It’s critical to remember that both these regulations apply to businesses located in these states as well as businesses that work with people or other individuals within these states. You’ll have to comply either way.


Unlike the U.S., the European Union has a federal law for cyber security regulations. The General Data Protection Regulation (GDPR). Similar to California’s and New York’s laws, the GDPR applies to businesses operating in the EU and those who do businesses with residents there.

The regulation entails strict protections for EU residents. Primarily, the rule states that companies must notify consumers of how they plan to use their individual data. This obligation applies to any need as well, whether it’s for studies or advertising. If companies fail to comply, they could receive a hefty fine. Google faced a $57 million fine from the EU after not disclosing that it used consumer data for advertising.


The Health Insurance Portability and Accountability Act (HIPAA) applies to any company or organization that deals with health data. A hospital will certainly qualify but a smaller business that keeps employee health records on file will qualify as well.

This act requires that organizations store health data under the safest conditions, including encryption, limited access and any available IT resources. Employees must have proper training on protecting this information as well. Then, it becomes less vulnerable to any cyber criminal activity.

This information is vital to protect, especially as health has become a primary concern during the pandemic. Moreover, 47% of SMBs have had a security breach within the past year. Thus, it’s more important than ever for you to comply with HIPAA and protect health data throughout the pandemic.

5. NIST 800-53

The National Institute of Standards and Technology (NIST) publication, 800-53, is necessary for any federal agency. With these guidelines, they can secure their data and information system by improving their cyber defense. This regulation includes any agency that deals with federal information.

NIST 800-53 mandates that agencies and organizations create resilient systems that can monitor, detect and fight off cyber threats of any kind. From malware to phishing scams, these systems need to protect against everything.

They must also create an environment that prompts auditing, training, access control, incident response and authentication. Then federal agencies can protect themselves and their clients effectively.

Compliance for All Businesses

Cyber security compliance is a necessity for any business in any industry. With these five regulations, you can properly protect your customers’ private data and your organization from any cyber risks. Implementing the training, encryption and systems into your business is the best step you can take from here.


bottom of page