Is compliance the best insurance for managing cybersecurity risk in 2018?

Compliance to many is a dirty word and often misunderstood especially in the area of information security and risk management. However, in response to the increasing number of data breaches and real economic loss as well as threats to national security, regulators and policy makers are increasingly responding with laws, policies and regulations. There is an increasingly prescriptive set of security requirements that must be met by businesses and organizations operating online. Some of the recent data breaches have shown that cybersecurity risk can originate from the supply chain of vendors and business partners.

Understanding this dynamic, the U.S. Department of Defense started the ball rolling in 2013 requiring businesses and contractors to implement 110 specific security requirements described in NIST Special Publication 800-171 as part of a modification to the Defense Federal Acquisition Regulation Supplement (DFARS). Other U.S. Federal Agencies are following suit to ensure that suppliers are adhering to security best practices and are looking to amend the Federal Acquisition Regulations (FAR) later this summer. A number of federally focused media outlets like Federal News Radio are starting to cover this topic and organizations like the Advanced Technology Academic Research Center (ATARC) are beginning to help government agencies collaborate and share security best practices to help them get better at securing data assets.

There is also an increasing interest at the state level to drive change through compliance with new regulations. The Department of Financial Services (DFS) in the State of New York has taken a leadership position and established 23 NYCRR 500 with specific guidance on cybersecurity measures that financial entities must take when operating within the State of New York. The list goes on as more and more states start to look at ways to protect data hosted online. The State of South Carolina through S-0856 is seeking to enact the South Carolina Insurance Data Security Act to require operators to implement comprehensive information security program. Ohio Senate Bill 220 similarly seeks put in place regulations to help drive compliance with cybersecurity best practices. The National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law with support from top insurance regulators from the 50 states, the District of Columbia and five U.S. territories.

Clearly, cybersecurity is a top of mind issue with policy makers, legislators and regulators seeking to drive changes through a series of mandates and legal requirements. Businesses and organizations must take notice and prepare for this new world of requirements and get smart with implementing the right sets of solutions.

The right business response?

Many organizations will face tough decisions on how best to comply with these new requirements and regulations. Cybersecurity is a difficult problem to solve and requires a level of advanced technical expertise and will likely require business investment to be put in place. Clearly, in the past organizations have sought to limit the risk by buying cybersecurity risk insurance, enforcing flow-down provisions on suppliers and trying to manage the risk through largely administrative measures. This response may not work in a changing environment where policy makers are beginning to set specific standards such as the NIST Cybersecurity Framework or the NIST Special Publication 800-171 being used by the DOD. Organizations will not only need to put in place measures that ensure better security of data assets but also put in place demonstrable evidence of compliance with the prescribed security measures.

The right cybersecurity posture may also result in competitive advantage for businesses seeking to grow. Recent rulings have demonstrated the willingness of regulators and oversight agencies to establish the right for buyers to require and enforce compliance of cybersecurity standards when evaluating competing bids when pursuing business contracts. Clearly, the era of voluntary adoption of security best practices is fast coming to an end and just like a business might make investments in accounting software or human resource software to operate their business, they must make cybersecurity investments going forward.

Is compliance the best insurance?

Most people cringe or roll their eyes when told that security by compliance is the best path forward. The primary reason for this is the notion that compliance is merely a checkbox exercise that does not yield any true benefit and certainly does not yield better security. My experience has been slightly different. The challenge has been not the regulations or the compliance itself, but the manner in which compliance has been assessed and overseen. A strong and dynamic oversight and compliance framework must accompany the new cybersecurity regulations. This is an emerging area where industry, government and associations have an opportunity to fashion the right compliance architecture.

Security by compliance is a viable path forward to drive change, as it provides specific guidance on best practices and provides “an area to start.” By reviewing security requirements and complying with the new mandates, progressive organizations can not only meet the requirements in “letter” but also in “spirit” as an insurance policy against data breaches. Many of the requirements and specific policies being mandated through the various laws and regulations are common-sense security steps that any organizations should be taking anyways.

Luckily, there is a set of technical solutions available today that was lacking previously – cloud computing services from accredited providers such as Amazon Web Services (AWS) and Microsoft amongst others that can help provide a cost effective and rapid path to compliance. These corporations and their ecosystem of providers and partners have developed a vibrant set of solutions to meet a variety of needs in the marketplace and can provide a viable solution alternative. Cybersecurity issues and compliance with emerging requirements will continue to be a story in 2018 and organizations should start preparing their playbook to respond.