The Cybersecurity Regulatory Crackdown
We claim we are in a new era of cybersecurity threats and that ransomware is the threat du jour, given how WannaCry and Petya continue to make waves. But we are also in an era of a new wave of cybersecurity regulations. When looking at the latest attacks, some would argue that the same old vulnerabilities are to blame, and that is because organizations are dragging their feet in implementing the critical security measures to protect themselves.
High-profile breaches like those that impacted HBO, Target and Home Depot are just three examples — but there are many others (too many to list for 2017 alone, and we still have roughly four-and-a-half months to go). As a result, we’re now seeing new regulations emerge that are forcing organizations to get their proverbial houses in order. These regulations feature a new characteristic: They’re hitting companies where it hurts, with steep penalties for those that don’t comply.
Other than the obvious rise in attacks, why are so many new regulations popping up today? For starters, many of the biggest cyberattacks we’ve seen to date were largely preventable. For example, with WannaCry, hackers exploited a patching code vulnerability. Regarding the stolen HBO data, hackers exploited a file transfer protocol. And even the infamous LinkedIn breach could have been prevented with proper identity governance controls in place to manage digital identities.
Based on these examples, it’s clear that technology is no longer enough. It takes a combination of people, processes and technology to effectively combat today’s threats, which is why we’re seeing the regulatory environment heat up. The New York Department of Financial Services cybersecurity regulation, for example, requires that financial services companies hire a CISO who will put the proper risk assessments and processes in place for employees to use and follow. This regulation also requires that firms report any attempted data breach, and that they enforce their third-party providers to step up their security measures too.
The ‘GDPR Effect’
So where companies are lagging, federal, state and local governments are all stepping it up. The first regulation that shocked the cybersecurity world was GDPR, not so much by its depth (although it is thorough), and not by its breadth (it will impact not just European companies, but any companies that do business in Europe) — but because of its penalties, the steepest seen so far. Enterprises are likely scrambling to understand the ramifications, but rather than calling in cybersecurity vendors to help them comply with GDPR, they’ve rallied their attorneys to understand their potential liability.
From there, the GDPR effect soon followed with other regulations popping up all over the country and the world, from the New York State regulation mentioned earlier, to similar cybersecurity regulations in China and Singapore. Just recently, the U.K. announced an addendum of sorts to GDPR with its own data protection bill that puts more control in the hands of consumers, giving them the right to be forgotten.
These rights pose significant challenges for companies that hold and collect personal data. Complex chains of data processing, storage and sharing between providers exist in most IT ecosystems. Can organizations today confidently say they have the ability to honor that agreement with the end user? Not likely.
This regulation puts the burden and responsibility on businesses to put the right processes in place in order to readily comply with this new rule. And once again, a steep fine is attached to non-compliance with this regulation — to the tune of up to £17 million, or 4% of global revenue — in cases that involve the most serious data breaches.
An Industry Emerges
While all this is playing out, an industry is emerging, and though it’s still trying to figure out its business model, its impact is already being felt. That industry is cyberinsurance. Clearly, there is a need.
And with GDPR, cyberinsurance is the perfect platform. WannaCry and Petya have become free advertisements for cyberinsurance, which has quickly become a fast-growing market. According to Fitch Ratings (via Reuters), cyberinsurance grew 35% in 2016 to $1.35 billion.
But insurers might be nervous in the wake of an attack of WannaCry’s scope, and could be looking at limiting their cyberinsurance exposure. One way to do that is to assess potential insurees based on their risk potential.
This means that cyberinsurers will start using things like adherence to cyber regulations as a measuring stick. For example, any organization that fails to demonstrate compliance with mainstream regulations — coupled with any non-adoption of encryption, identity governance and other preventative security technologies, along with the absence of a CISO — will most likely either be disqualified by cyberinsurers or face prohibitive premiums.
At the end of the day, should an organization decide to simply skim the surface when it comes to cybersecurity, not only will it put itself at serious risk, but it will struggle to find a single cyberinsurance provider that will insure it. This industry will soon come full circle, where companies will need to do nothing less than comply to a certain level of cybersecurity and be accountable for their breach.
This means putting the right technology and processes in place and investing in a CISO to take charge of an organization’s cybersecurity posture. These are absolute musts today. This is true not just from a regulatory and cyberinsurance standpoint, but from an overall risk management perspective as well.
Ultimately, companies have no choice today but to start the lengthy and painful journey of complying to state, local, federal — and now global — regulations, while also investing in implementing a modern IT security infrastructure to protect their customers’ invaluable data.
This article was originally published on Forbes.com.