icon

Compliance Laws & Regulations

Compliance Laws

OSPAR: The Outsourced Service Providers Audit Report (OSPAR) is the framework that external auditors use to validate Outsourced Service Providers (OSP's) adherence to guidelines specified by the Association of Banks in Singapore (ABS). If you are an Outsourced Service Provider delivering services to Financial Institutions in Singapore please read more:

How was OSPAR established?

The Association of Banks in Singapore (“ABS”) established the Guidelines on Control Objectives and Procedures for Outsourced Service Providers, also called the “ABS Guidelines,” which provide information security guidelines for Outsourced Service Providers (“OSPs”) who wish to provide services to Financial Institutions (“FIs”) operating in Singapore. These guidelines form the minimum/baseline controls that OSPs that wish to offer services to FIs should have in place.

How to receive an (OSPAR) attestation?

In order to demonstrate that an OSP meets the ABS Guidelines, it can undergo a third-party audit to receive an Outsourced Service Provider Audit Report (OSPAR) attestation. Obtaining an OSPAR attestation illustrates to an FI that an OSP’s controls are designed and operating effectively to meet the control objectives that are relevant in the provision of outsourced services and maintain the same level of governance, rigor, and consistency as if the services were still managed by the FIs themselves.

https://www.ospar.org/work-areas/cross-cutting-issues/data-and-information

SHIELD: "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, defines "Private Information" to include Social Security number, driver's license number, credit or debit card number, financial account number (with or without security code), biometric information, username or e-mail address with a password that permits access to an online account, and requires all companies doing businesses in New York to implement a "data security program” that reasonably safeguards New York residents’ "Private Information" while broadening New York's security breach notification requirements.

Every employer with employees in New York must comply with the SHIELD Act because "private information" includes an individual's name and Social Security number."

https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-updates/pages/new-york-shield-act.aspx

CPRA: The California Privacy Act (CPRA), Ammended Law will go into effect January 2023. For more information click here

The CPRA is the most robust consumer privacy law in the United States . In November 2020, California voters approved the California Privacy Rights Act of 2020, otherwise known as the CPRA. This is an amendment to the California Consumer Privacy Act (CCPA) that voters approved in 2018. 

The CPRA has now modified, expanded, and clarified privacy rights for California residents, and it takes inspiration from the EU’s GDPR policy in a variety of ways. For instance, the CPRA creates a new enforcement agency. Previously the CCPA was enforced by the California Office of the Attorney General. However, in the EU, GDPR is enforced by data protection authorities –– and now, California has implemented one, too: the California Privacy Protection Agency (CPPA). 

CCPA: “The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.”

https://www.oag.ca.gov/privacy/ccpa

 

GDPR: "Regulation (EU) 2016/679 of the European Parliament and of the Council1, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU."

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

 

HIPAA: "HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers."

https://searchhealthit.techtarget.com/definition/HIPAA

 

FISMA: "FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies."

https://www.dhs.gov/cisa/federal-information-security-modernization-act

 

Compliance Regulations

NIST: "NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST also assists those agencies in protecting their information and information systems through cost-effective programs."

https://digitalguardian.com/blog/what-nist-compliance

 

DFS: "The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions."

https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial

 

PCI: "PCI DSS, or the Payment Card Industry Data Security Standard, is the set of requirements for organizations who process card payments."

https://www.tripwire.com/state-of-security/regulatory-compliance/beginners-guide-pci-compliance/

 

Frameworks

ISO: International Organization for Standardization is an independent non-governmental organization providing world-class specifications for products, services and systems, to ensure quality, safety and efficiency framework, "ISO creates documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose."

https://www.iso.org/standards.html

SOC: System and Organization Controls are a suite of reports from the AICPA that accounting/audit firms can issue in connection with system-level controls at a service organization. Currently there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering. In addition, there are SOC + reports where another standard can be added (i.e. HIPAA, HITRUST, NIST, etc.).

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

 

 

 

 

 

 

 

Let's talk: +1 (718)-370-3353

Speak to a specialist