As Simeio’s CEO, Nick Rowe is responsible for driving the overall vision and strategy.
Identity and access management (IAM) cybersecurity measures have transformed beyond a technical checkbox to an important part of business operations. Yet many organizations continue to view these protocols as something that can be kicked down the road until it’s needed—a decision that can lead to major financial and reputational consequences.
Consider Equifax, whose 2017 data breach exposed the personal information of more than 147 million Americans. When all was said and done, the financial toll the company paid was staggering: $575 million in settlements and immeasurable damage to its brand and reputation with customers.
Data from 2019 reveals that nearly three-quarters of all data breaches involve access to privileged accounts, highlighting the direct correlation between IAM effectiveness and organizational security. And that was more than five years ago—that number has likely grown, especially as organizations have moved more of their operations online since employees began working from home during the pandemic. But even if the locations have changed, the cost of these breaches can still extend far beyond immediate financial penalties.
Potential Fines In The Regulatory Landscape
With more information becoming available online, regulatory bodies have stepped up their enforcement on the safety of access management, with substantial penalties for non-compliance. In the United States, HIPAA violations can result in penalties ranging from $141 to $71,162 per violation in Tiers 1 through 3, with annual caps of over $2 million and potential imprisonment of up to 10 years for severe cases.
Another example comes from the U.K., where TikTok was fined $15.9 million in 2023 for failing to protect the privacy of children and for collecting personal data from more than one million U.K. children under 13 without proper parental consent. And in the Netherlands, Haga Hospital was fined $516,000 under GDPR for failing to implement proper access controls, resulting in unauthorized access to a popular patient’s medical records.
These examples show the potential negative consequences of mismanaging cybersecurity and IAM. But how do we change this and take the steps to make it better? Based on my experiences as CEO of an IAM services organization, here are some further insights into regulatory expectations and how you can safeguard your company.
Understanding The Expectations
The cybersecurity industry as a whole—especially now, with the introduction of advanced AI—is constantly changing. People make new threats, and cybersecurity teams respond and act accordingly. As a result, U.S. regulators have specific cybersecurity requirements for companies, and sometimes they can change quickly if you’re not paying attention. Here are just a few examples of regulations companies currently must follow:
• Cybersecurity Information Sharing Act (CISA): CISA is overseen by the Department of Homeland Security (DHS) and facilitates the sharing of threat information between private companies and the government.
• Gramm-Leach-Bliley Act (GLBA): Overseen by the Federal Trade Commission (FTC), the GLBA helps regulate the collection and handling of financial information.
• Securities And Exchange Commission (SEC): As of 2025, the SEC requires publicly traded companies to report cybersecurity incidents within four business days.
It’s very important that your leadership, including CISOs, team managers and engineers, all understand where these regulations currently stand and what could change in the coming years, so you can stay in line with what agencies expect.
Best Practices For Maintaining Compliance
When looking to bring your company into compliance, here are a few simple steps I have found to be effective:
• Use multifactor authentication (MFA). Deploy MFA across all systems and applications, including a single sign-on (SSO) system.
• Stay informed on evolving regulations. Track updates from regulatory bodies like NIST, ENISA and FFIEC. This can help you anticipate future regulations, such as stricter breach notification requirements or supply chain security mandates.
• Implement comprehensive IAM strategies. For example, I recommend adopting zero trust architecture by applying “never trust, always verify” principles; in my experience, this can significantly cut down the potential for breaches.
• Implement data loss prevention (DLP) strategies. By classifying sensitive data and applying appropriate controls based on its importance, you can prevent unauthorized access from users who shouldn’t be able to see it in the first place.
• Conduct regular red team exercises. Preparedness is key, and I have found that conducting simulations of real-world attacks is a reliable way to test your organization and employees’ defenses and response capabilities and to address gaps that come up in the process.
• Demonstrate compliance leadership. One great way to do this is by pursuing certifications such as ISO 27001 or SOC 2 to validate your security posture publicly. This can show customers you’re taking extra steps to meet compliance, increasing their trust and loyalty.
Final Thoughts
In my experience, robust IAM protocols can greatly reduce access-related security incidents, mitigating risks and potential damages. From an operational standpoint, companies can also experience a significant decrease in administrative overhead, freeing up valuable resources and streamlining processes. And by creating a security posture with areas like regulatory compliance in mind, you can shield your organization from reputational damage and fines associated with data breaches or compliance failures.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
