The global cybersecurity regulation and compliance landscape is ever-shifting. This means companies are (or should be!) hunting for the latest tweak to regulations governing their businesses.
While US-based businesses without an international outlook might find it easier to keep up, the same cannot be said for U.S. businesses that want to expand globally.
In a chat with Techopedia, Secureframe CEO, Shrav Mehta said many U.S. businesses are looking to the U.K. or Europe for inspiration on how to navigate certain areas of cybersecurity regulations.
For Mehta, the core issue lies in the differences between U.S. and U.K. cybersecurity frameworks.
The UK’s stricter data privacy regulations, heavily influenced by GDPR, offer a more compliance-driven approach. In contrast, the U.S. prioritizes safeguarding critical infrastructure and government agencies.
These contrasting approaches pose challenges for U.S. enterprises expanding internationally, as navigating varying global compliance regulations can be complex.
We sat down with Shrav Mehta, founder and CEO of Secureframe, for a one-on-one chat to ask how U.S. businesses can learn from the UK.
About Shrav Mehta
As a teenager, Shrav Mehta developed more than a dozen mobile apps that received millions of installs. At age 23, he co-founded Secureframe with Natasja Nielsen after encountering clunky security and compliance processes at the startups where he previously worked.
Secureframe automates those services, and the company has gained more than 2,000 customers. It has raised $79 million from investors, including Kleiner Perkins, Accomplice Ventures, Gradient, and Base10.
Key Differences in U.S. and U.K. Digital Privacy and Compliance Regulations
Q: Can you point out the key differences between regulations like GDPR and the current U.S. cybersecurity regulatory landscape and how these differences impact businesses operating in both regions?
A: Europe has definitely been ahead on the data privacy front. They were the first ones to launch GDPR, and the UK’s state of privacy laws are also primarily governed by GDPR. It was retained in U.K. law, even after Brexit, alongside the Data Protection Act.
When it comes to the US, we’re a lot more fragmented here. We have federal laws and then state laws. The first major law we had here was the California Consumer Privacy Act (CCPA), and now we have the CPRA [California Privacy Rights Act of 2020] as its successor.
Many technology companies have a presence in California and have customers around the world — so many businesses have had to adopt CCPA even though it’s a state law.
So, CCPA is probably the most common privacy regulation you’ll see applied in the US, and companies in other states will often state that they follow CCPA and plan to follow upcoming regulations.
Many of these regulations are indeed based on or similar to GDPR. We’re seeing a lot of the new privacy legislation coming out to take inspiration from GDPR.
The Challenges U.S. Enterprises Face in Global Compliance
Q: U.S. companies often face a patchwork of compliance regulations across different. How can these variations hinder a company’s cybersecurity strategy, and what are some best practices for navigating them?
A: U.S. companies often face compliance regulations across different states and countries. These variations can hinder a company’s cybersecurity strategy by creating complexity and inconsistency in security measures.
Companies like ours, along with many other data privacy, protection, and security companies, are addressing various subcategories within the data security space. There’s so much software emerging to make this process easier.
At Secureframe, our goal is to help automate some of the very tedious parts of these processes and help these companies stay compliant with regulations like GDPR and CCPA. While these regulations do add some burden to companies, I believe they are essential.
Every company should be implementing strong data management practices, whether mandated by law or not. Regulations are coming in to ensure we have a strong baseline for managing our data.
The Role of AI in Streamlining Complex, Cross-border Compliance
Q: With artificial intelligence augmenting many tech processes, how can it be used to streamline complex, cross-border regulations, particularly for U.S. companies venturing into global markets?
A: AI is definitely going to play a big role in privacy and security in various ways. At Secureframe, we’ve launched new technologies around generative AI, introducing methods for remediating and detecting security and privacy issues as they arise.
We’ve developed technology to help map and enforce data security controls and offer tools to ensure consistency between different frameworks.
There are many privacy frameworks, such as GDPR, CCPA, and others, in Brazil and elsewhere, alongside various security regulations with overlapping requirements. Using AI, we’ve identified similarities across these frameworks to save time.
For example, most frameworks require securing data at rest and in transit, so we can address this once and apply it broadly.
AI is also enhancing data privacy by enabling document reviews for Personally Identifiable Information [PII]. For instance, someone can upload a sensitive document to GPT-4 or another model to identify PII, even in formats like scanned PDFs without OCR.
Why the E.U. Outpaces U.S. in Certain Areas of Cybersecurity
Q: In your experience, what factors contribute to the EU’s lead in certain aspects of cybersecurity compliance?
A: The E.U. tends to be much stronger on the regulatory side. This isn’t necessarily a good or bad thing. The US, on the other hand, tends to be much more against regulation. There’s a significant sentiment that AI should not be regulated too early, as we don’t fully understand its capabilities yet, and premature regulation could limit its growth.
China, for example, is unlikely to impose such early regulations, which adds a political dimension to the US’s preference for deregulation.
The U.S. generally favors letting the market decide how companies should operate, whereas the E.U. is more prescriptive with its regulations.
A good example of this is the E.U. requiring Apple to switch from Lightning adapters to USB-C for all devices. This wasn’t even considered in the US, but it was more cost-effective for Apple to standardize on USB-C globally. Similarly, the E.U. is intervening in the App Store marketplace and how Apple governs it within the EU.
In the US, OpenAI has around 30 to 40 lobbyists working with the government on AI regulation. Meanwhile, the E.U. is already ahead in figuring out ways to regulate AI.
It’s not clear yet whether all these regulations will be beneficial or detrimental; only time will tell.
The E.U. tends to be more proactive in its regulatory approach, while the U.S. takes a more hands-off stance, allowing more room for technological growth and market-driven solutions.
Q: Can you detail your strategies for helping U.S. enterprises strengthen their global compliance posture?
A: When we started Secureframe, we became global within the first year, gaining customers in Europe. In the US, companies need to comply with standards like SOC 2, HIPAA, and PCI for payments, and federal frameworks like NIST and FedRAMP for government work.
In Europe, similar frameworks exist, such as ISO 27001, the international equivalent of SOC 2. U.S. companies often get both certifications to facilitate international business.
Using AI, Secureframe technology helps avoid duplicative work for certifications that have significant overlap, like SOC 2 and ISO 27001. We’ve expanded significantly into Europe, where GDPR compliance is essential and ISO 27001 is common.
Additionally, a new security framework called DORA is becoming important for European fintech and financial services companies. We’re seeing a lot of traction from customers needing to comply with these standards.
International Collaboration on Cyber Regulation and Compliance
Q: Cybercrime transcends national borders. How can the U.S. and Europe improve collaboration on cybercrime prevention and response efforts to achieve more unified global cybersecurity compliance?
A: We’ve made significant improvements over the past several years, particularly with global databases like CDE that alert us to new vulnerabilities. Tools now allow for quick patching, significantly improving response times.
However, the U.S. could better collaborate with the E.U. on data privacy, such as where data for European versus U.S. residents is stored and the rules for transferring data between regions.
These regulations can be overly burdensome due to differing laws and frameworks across countries.
It would be problematic if every U.S. state had its own version of CCPA instead of a federal standard. Greater cohesion, both within the U.S. and internationally, would improve how we handle data.
The Future of Cybersecurity Regulations
Q: What are some of the emerging trends in cybersecurity regulations that both the U.S. and E.U. should be prepared for in the coming years?
A: Today’s regulations have largely focused on data privacy, such as data storage and cookie consent banners. However, we’ve seen less emphasis on security. There aren’t many regulations requiring companies to be SOC 2 or ISO compliant based on their consumer base or business type; such compliance is usually dictated by customers.
We need to establish baseline security standards in addition to data privacy standards. Although we haven’t reached that point yet, there’s growing legislation that aims to create a stronger regulatory landscape for security. This development will ensure that companies adhere to consistent security practices, complementing the existing privacy laws.