Compliance Is Not Enough

By December 12, 2017View All Resources

Being compliant with applicable laws and regulations is one of the four major goals of a Cyber Risk Management Program.

The other three are:

  • Achieving your customers’ expectations (covered two weeks ago)
  • Being resilient to cyber-attacks and cyber failures (covered last week)
  • Becoming an unprofitable target by practicing great cyber hygiene

We’ll cover the last goal in a later post.

More Compliance in Your Future

Because of the growing importance of information security, there are many laws and regulations. Some industries are self-regulating.

And we can expect more to emerge in the coming years.

Compliance is Not Cybersecurity

As you’ll see below, each compliance mandate is focused on a particular type of data from the perspective of a particular stakeholder.

If you are a company that is required to comply with one or more of the following, you know it’s a lot of work.

Unfortunately, none of them alone, or even in combination, will help you address your cyber risks in the same thoughtful, intelligent way you manage lead generation, accounts receivable, or fulfillment.

How to Transcend Compliance

Rather than put your cybersecurity focus primarily on compliance, it’s much better to establish a robust cybersecurity program and then manage compliance as a healthy byproduct of your everyday actions.

The key to doing this is to first standardize using a broadly applicable cybersecurity standard, like the NIST Cybersecurity Framework.

Then, map of all your compliance mandates back to the Framework, filling in any gaps as you find them.

Why does this work? There is about an 80% overlap between all cybersecurity compliance mandates.

And, this approach provides a great benefit: It allows your staff to focus on one set of standard operating procedures and avoids unnecessary duplication of effort.

Now, let’s review a few of the more common laws and regulations you’re likely to see.

Payment Card Industry Data Security Standard

PCI-DSS is a set of requirements for securing payment card customer data. It was developed by the founders of the PCI Security Standards Council.

Which includes American Express, MasterCard, and Visa. PCI-DSS applies to anyone handling credit card data, including retailers, banks, and the credit card companies.

Data Breach Notification Laws

These have been enacted in most U.S. states since 2002. California was the first in the U.S. The European Union enacted such a law in 2009.

They all require organizations to notify their affected customers about data breaches and require organizations to take other steps to protect consumers involved in the breach.

New York State Department of Financial Services

In 2016, NY-DFS proposed their Cybersecurity Regulation (23 NYCRR Part 500).

It’s designed to protect consumers and to “ensure the safety and soundness of the institution,” as well as New York State’s financial services industry.

Defense Federal Acquisition Regulation Supplement

DFARS focuses on protection of Controlled Unclassified Information (CUI) within the Department of Defense.

Examples include data on critical infrastructure and certain technical information with military or space application. NIST Special Publication 800-171 provides detailed guidance.

Federal Information Security Management Act of 2002

FISMA requires US federal agencies to implement a program to provide security for their information and information systems.

North American Electric Reliability Corporation

NERC has published standards for the bulk-power system of North America. It protects the industry’s critical infrastructure from physical and cyber threats.

Health Insurance Portability and Accountability Act

HIPAA requires the adoption of standards nationwide to protect electronic health care transactions. The law also requires guarding the security and privacy of personal health information.

The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly modified HIPAA in 2009. It added new requirements concerning privacy and security for patient health information.

European Privacy

The General Data Protection Regulation (GDPR) will supersede the Data Protection Directive from 1995. GDPR will be enforceable starting May 25, 2018.

Both of these laws regulate the processing of personal data of citizens in the European Union.

Critically for international commerce, the European Commission and the United States agreed to establish a new framework for meeting the requirements for transatlantic data flows in February 2016, known as the “EU-US Privacy Shield.”

Federal Financial Institutions Examination Council

The FFIEC IT Examination Handbook contains the Information Security requirements for financial institutions in the United States. It consolidates the many applicable laws and regulations and provides implementation guidance.

Their Cybersecurity Assessment Tool is voluntary and “provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”

Sarbanes-Oxley Act of 2002

SOX applies to publicly traded companies. It’s designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures, particularly financial disclosures.

Which Cybersecurity Regulations Should You Use?

Figuring out which laws and regulations apply to your organization takes time to research and usually requires legal counsel in order to be highly confident in your conclusions. You’ll want to be sure of which regulations apply to your business before you spend significant time and money trying to comply with them.

 

Cyber Risk Opportunities helps middle market companies transcend compliance by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.

Leave a Reply

2 × three =