The four top compliance changes heading your way in 2024 – and how to manage them
2024 looks to be a landmark year for changes to the compliance and regulatory environment. ISA Cybersecurity’s Nitin Bedi discusses the changes that could have the greatest impact on your operations, and provides some practical advice on how to get – and stay – prepared.
Canadian Program for Cyber Security Certification (CPCSC)
“One of the areas that companies need to be watching is the CPCSC,” observes Bedi. “It is aligned with the same NIST 800-171 standard that guided the development of the latest version of the Cybersecurity Maturity Model Certification (CMMC 2.0) program that is being rolled out in the U.S. The American CMMC program applies to any organization that wants to carry out business with the US Department of Defence; the CPCSC will do the same in the Canadian market.”
A phased implementation of CMMC 2.0 began in May 2023, and is scheduled to be fully in force in late 2025. A roll-out of the CPCSC could start as early as fall 2024 in Canada. While the CyberSecure Canada cybersecurity certification program for small to medium businesses is forecast to continue, in time, the CPCSC may subsume the program.
“While the CMMC and CPCSC programs are aligned with the NIST standard, they go into greater detail and provide guidance as to what needs to be done for every control. For example, CMMC describes three different levels of compliance required, depending on the kind of work you do with the government. We have yet to see how the CPCSC will follow suit.”
Bedi concedes that there can be a lot of work to do to achieve compliance, but that there’s a silver lining: “While the rollout of the CPCSC could be seen as a threat, it’s also an opportunity for companies looking to do business with the federal government. Even if you don’t currently do business in the sector, achieving CMMC or CPCSC compliance could open markets for an organization willing to make the investment and demonstrating their security posture.”
Bill C-26 and Bill C-27
Canada’s Bill C-26 has been a long time coming, and 2024 could be the year it is enacted. Bill C-26 is presented in two parts:
- The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system.
- The second is to enact the Critical Cyber Systems Protection Act (CCSPA), a law designed to protect critical cyber services and systems that are vital to national security, public safety, or are delivered or operated within the legislative authority of the Canadian Parliament.
“The Bill places strong obligations on major Canadian players in the industry; while you may not need to comply, if you do business with those organizations, you may have additional requirements, so it’s important to understand the implications,” warns Bedi.
Hand in hand with the Bill C-26 legislation is Bill C-27, the Digital Charter Implementation Act (DCIA), which is designed to significantly modernize Canadian privacy law. This new law will introduce several important changes that organizations need to watch. The DCIA will repeal several parts of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which has been in place for nearly a quarter century. Those elements will be replaced with a privacy and data legal framework rooted in three new acts:
- Consumer Privacy Protection Act (“CPPA”): the main privacy law that will replace PIPEDA
- Personal Information and Data Protection Tribunal Act (“PIDPTA”): a new tribunal that would replace the current role of the Federal Court under PIPEDA and enable a new penalty regime
- Artificial Intelligence and Data Act (“AIDA”): a foundation for the responsible design, development and deployment of AI systems that could have an impact on the lives of Canadians
“This Bill could have the most transformative change, introducing new rules, and greater fines and consequences for non-compliance, just as there are for GDPR in the E.U. There is still no firm timeline for implementation, but organizations need to keep a close eye on draft legislation to assess potential impacts to their operations,” advises Bedi.
PCI DSS 4.0
Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) published by the PCI Security Standards Council (PCI SSC) takes effect on March 31, 2024. Version 3.2.1 of the standard will be retired on the same date, and almost all aspects of the new standard will be mandatory, with the rest coming into force in March 2025.
“Most organizations should have been working on this for some time. If not, they need to act very soon to stay in compliance. Not being able to process payment cards will put an organization in a compromising position very quickly. Many of the changes in Version 4.0 are logical continuations of changes in previous versions; requirements that were deemed best practices or recommendations previously, are considered mandatory,” says Bedi.
Managing Change
This is a lot of change. How can organizations prepare?
“First off, conducting a gap or readiness assessment is an important step. It’s tempting for organizations to start working down a checklist of changes, but having the big picture first is important. An assessment will give you a clear idea of where you stand, and what you need to do to work towards compliance. This allows you to develop an integrated plan and work on things in priority order,” says Bedi.
“Here’s an example: in some cases, an entire organization doesn’t need to be compliant with legislation or contractual requirement. For PCI DSS, say, only portions of the network that touch payment card data need to be within scope. You can right-size your compliance efforts strategically. A readiness assessment will give you visibility into what needs to be done, what can wait, and what might not need to be done at all.
“My second recommendation would be to develop a well-defined process for scanning the compliance landscape to be ready for upcoming changes. The regulators and governments understand that organizations cannot turn on a dime, so there are usually lengthy consultation periods that allow interested parties to preview new legislation, contribute their thoughts and concerns, and help shape the regulations. Get involved in these exercises, and keep an eye on how things are evolving so you can prepare without panic.
“Finally, I think it’s important to take a security-by-design and privacy-by-design approach when implementing new systems or software. People are finding that it can be complex, costly, and disruptive trying to retrofit systems to conform to privacy and security laws. Designing them with security and privacy in mind from the outset will save you time and money in the long run,” concludes Bedi.
Following changes in compliance and regulation can be complex. For success in the long run, stay current, get help if you need it, and plan ahead.