Navigating the untamed frontier of cybersecurity compliance is no easy task. Whatever the root cause — the intricacies of global trade, the ever-expanding digital sphere, outsourcing data to a distant “cloud” — traditional jurisdictional boundaries are only growing blurrier (or crumbling altogether), while new lines are being drawn.
Companies that once had to abide by local and national regulations now need to know how their data is stored on servers diffused across continents to ensure compliance with a widening and increasingly complex range of rules and protocols.
Deducing the applicable regulations requires a holistic appreciation for a given company’s scope and scale — from geographic location, to the type and dispersion of its client base, the variety of data it stores and processes, the classification level of that data, and so on.
A publicly traded company that handles personal health information in the United States, for instance, falls under the jurisdiction of the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and — if it processes credit card data — the Payment Card Industry Data Security Standard (PCI-DSS).
Across the globe, regulations intended to set standards for safeguarding consumer privacy are being designed and enshrined into law, with a pronounced tilt toward greater transparency. This is happening in the United Kingdom (Data Protection Bill), Australia (Privacy Amendment), Canada (regulations that will coincide with the Digital Privacy Act), and the European Union (General Data Protection Regulation).
Much of the incoming legislation will be enforced through the imposition of hefty fines and economic sanctions in the event of violation or non-compliance.
Through the GDPR, for example, the EU can levy fines of up to €20 million, a further financial penalty above and beyond ransom payments, tarnished brands, stock devaluation, and lawsuits. The GDPR also requires companies to tell consumers in what way their information is being used.
Additionally, the “right to be forgotten” — the right for consumers to ask that their data be deleted — is folded into the GDPR framework, along with the obligation for a company to produce an individual’s personally identifiable information upon request. On a basic level, that means businesses are obligated to know exactly what information is being used, why it is being used, and where it is being stored at all times.
What records are you responsible for keeping in terms of controlling and managing data? In what ways are you responsible for securing that data? Which hardware and software should you install to fortify and enforce that security? How are digital and physical security entangled? And, in the wake of an attack, which government agencies — the DHS’s National Cybersecurity and Communications Integration Center, the FBI’s Internet Crime Complaint Center, the U.S. Department of Defense Cyber Crime Center — are you required to contact and coordinate with?
In The Regulatory Review, Justin Daniel notes that in the United States there are “at least ten federal statutes that apply to cybersecurity, which assign regulatory roles to at least seven federal agencies.” Remediation can be extremely difficult, due in no small part to disagreements, according to Daniel, “over basic definitions and criteria, rapidly changing technology, and unclear boundaries between different types of cyber activity — like ‘cyber crime’ vs. ‘cyber terrorism’ — [that] create challenges when categorizing an attack.”
Add to this linguistic and legislative quagmire a tangle of federal and local law enforcement agencies, jurisdictional turf wars, and conflicting international laws. And even if a company tracks down the right agency, its priorities and those of the officers assigned to investigate the breach will likely end up misaligned. Federal agencies tend to focus more on national security interests and foreign hazards than lost revenue and shattered brands.
Conditioned — whether by quarterly financial reporting or the daily fuctuations of the stock market — to think short-term, many managers have put their faith in oversimplified and inaccurate risk calculations, resulting in stagnant or tightened cybersecurity budgets. Some prefer to gamble on skirting the threat altogether, or dealing with a breach after the fact. Far better, according to this mindset, to weather the aftermath of an attack than waste reserves on “costly” preventative measures and systems.
This view profoundly misapprehends the potentially existential consequences of a breach: ransoms, muddied brands, devalued stock, class-action lawsuits, fines and sanctions, even criminal investigations. While cybersecurity spending is expected to exceed $1 trillion over the next four years, the cost of damages is predicted to near $6 trillion per annum over the same period. Damages, in other words, may outstrip costs by a factor of 24:1.
The specter of punitive fines and sanctions — much less losing a job or going to jail – are not, of course, the sole reasons for ensuring that a company’s compliance standards are up to snuff.
Whether cyber-security is outsourced to third-party firms or tackled in-house, compliance and security are two sides of the same coin. While some system administrators complain of merely “checking a box,” and audits and reporting are undoubtedly time consuming, most regulations are drawn up in response to the accumulated knowledge and experience of those who have suffered and survived cyber-threats. In other words, they are being put in place for a reason.
Security might be best thought of as a mindset, and one that starts at the top. All C-suite execs have the power to foment cultures of security. If you don’t already, start by reading a story a day about cybersecurity (like this one, or this one, or this one). Make compliance a byproduct of your company’s security plan: coordinate with IT teams or evaluate and fund third-party systems. Additionally, get hands-on with risk assessments, scenario simulations, disaster recovery planning, and incident response meetings.
Compliance may be one piece of a larger puzzle, but it is a no less integral piece. Better compliance means better security, and better security means less risk of exposing proprietary assets and sensitive consumer data.
As byzantine as the regulatory landscape appears at first blush, cybersecurity legislation should be perceived as a profoundly useful reflection of the threat at hand. As such “compliance,” proclaims Rob Hegedus, CEO of Sera-Brynn, a cybersecurity audit firm, “is your strongest firewall.”
Andrew Douthwaite is vice president of managed services at cybersecurity firm VirtualArmour.