Regulatory Risk

Regulatory risk is the risk that a vendor's noncompliance with applicable laws and regulations exposes the first party to regulatory penalties, enforcement actions, or reputational harm. Key regulations driving third-party cyber risk management programs include the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Digital Operational Resilience Act (DORA), NIS2, U.S. Securities and Exchange Commission cybersecurity disclosure rules, and U.S. state-level data breach notification laws.