Compliance, Time to Catch Up
Laws are great. Wearing a seatbelt, for instance, is a great law. It ensures you don't get killed. So why was it only introduced decades after the world got on the road? That's because it takes time for the government to catch up with evolving situations (like the dangers involved in automobile collisions); and boy is the Cybercriminal market evolving at an alarming pace - with US cities paying as much as $600,000 for a single ransomware payout in 2019.
That said, Cyber compliance laws are doing a great job in helping ensure that companies stay on their tippy toes regarding their security structure, with 41% percent of firms expecting to spend more time assessing FinTech and RegTech solutions in 2020, and nearly two thirds expecting an increase in their total compliance budget. Here are some of the major and upcoming cyber security compliance and regulations requirements out there today:
HIPAA, Protecting Health Data
HIPAA is one of the more well-known compliance regulations in the US; with a broad range of laws protecting healthcare information from outsiders. But it was only 7 years after HIPAA was created that the security rule subsection was introduced in 2003. One of the most striking things about the security rule was that it made mandatory the notification of local media in any breach of 500 residents or more of an area or jurisdiction; ensuring everyone was aware that their local healthcare provider had a security breach.
Sarbanes-Oxley - The Public Company Regulation
To protect the general public from fraud in the financial sector, the Sarbanes-Oxley (SOX) Act of 2002 was put into effect. It keeps public companies honest when it comes to financial reporting and from tampering with data. The act was modified several times to include Cybersecurity language related to system reporting and quality control policies.
In a nutshell, it requires public companies and any of their affiliates to deploy systems that protect against tampering of data, and that all data, as well as potential breaches, are made available to auditors.
PCI - The Consumer Payment Information Regulation
They say cash is king, but credit cards might just be the king's treasurer. Everyone is using their credit cards for nearly everything today; from shopping online to filling up at the local gas pump. PCI makes sure that everyone that has your cardholder data is handling it with care.
PCI includes requirements to protect customer data through firewalls, encryption, anti-malware systems, access control and - most importantly - to continuously monitor and test the current security posture and processes of the business and especially of the systems that house all payment information.
An organization's Internal Security Assessor or an external Qualified Security Assessor validates compliance yearly to ensure that all standards are met. For organizations that generate high transaction volumes, the assessor creates a detailed audit report covering every aspect of payment information collection and security. Organizations with low card transaction volumes can complete a Self-Assessment Questionnaire but are still required to take the appropriate precautions with consumer information.
Requiring Even More: 23 NYCRR 500
Finally, a regulation with some teeth. The 23 NYCRR 500 regulation (commonly referred to as NYDFS500) applies to any company dealing in financial and pecuniary information of any kind. In broad strokes, this includes banks, insurance companies, and other financial services organizations licensed by the New York State Department of Financial Services to handle any form of financial transaction. Each covered entity must develop and maintain a cybersecurity program to protect information system confidentiality, integrity, and availability.
Many consider it to be one of the most stringent cybersecurity regulations ever issued, primarily because it includes requirements for continuous monitoring and/or periodic pen-testing for all organizations that fall under its jurisdiction. Even smaller organizations (which are often exempt from these forms of regulations) are required to comply with at least a subset of the requirements of the regulation.
GDPR - Europe to the Rescue
After much fanfare by the European Union (EU), the General Data Protection Regulation (GDPR) finally went into effect in May of 2018. It applies to all organizations—whether based in the EU or outside of the region but dealing with EU citizen data—that handle personal data of any EU citizen. “Personal data,” as defined by GDPR, can be a name, photo, email address, bank details, social media posts, medical information, or a computer’s IP address.
Data controllers and processors (the two levels of data management that are defined by GDPR) have a legal obligation to conduct an objective data protection impact assessment and to quantify their risk. They must implement appropriate tools, technology, and process controls and demonstrate that everything is in full compliance for GDPR. Data controllers must also regularly test, evaluate, and update controls for ongoing data processing security since they are defined as organizations that primarily do business by obtaining, storing, and selling/sharing data.
Where NYDFS500 is perceived as the most explicit data protection and notification regulation out there, GDPR holds the title of the most wide-reaching. Every company that acquires, holds, processes, and/or does business with Personally Identifiable Information (PII) on or about EU citizens is required to comply with the GDPR, no matter what that business is.
California Consumer Privacy Act (CCPA) - California Leading the Pack
With it coming into effect just a few weeks ago, CCPA is quite similar but slightly different from the other California privacy laws, such as CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act.
Being that it covers any for-profit company that collects the data of any resident of California (the largest state in the US by population) which boasts over 25 million in annual revenue, that pretty much covers most of the US’s e-commerce industry sectors.
With its requirements regarding the collection, use, and protection of California residents’ personal information, fines range upwards to $7,500 per incident—with an “incident” referring to the unauthorized access of data from an individual or household. Violating the CCPA-guaranteed rights of 1000 users can result in a fine up to $7,500,000! That's a big check to have to write, considering how much personal data many companies are keeping track of, and ensures firms are keeping all that data as safe as they possibly can.
CCPA is most notable for being one of the first regulations to specifically mention that unauthorized access leading to the disclosure of PII (even if it isn’t removed from the data store holding it) is still considered a violation. So a threat actor browsing the data can potentially trigger the regulation’s penalties.
Last But Not Least: ISO 27001
The International Organization for Standardization/International Electrotechnical Commission Document 27000 (mercifully abbreviated to ISO/IEC 27000), is a family of standards that help organizations keep information assets secure. ISO/IEC 27001 is the most well-known of this family of standards and is focused on the security and control of data and information. It uses a top-down, risk-based approach and is technology-neutral. What does ISO/IEC 27001 do? It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system.
Just to be clear, ISO/IEC 27001 isn't a regulation, but a standard. This means that while you may not get fined for not complying with it, doing business without it will become harder and harder as time goes by. Companies want to hear from potential partners or clients that are ISO certified (independently audited for compliance with the standard) as it will help with protecting against a data breach within that business relationship.
Even more than that, some government agencies are making it a requirement; since it is an international standard that does not conflict with regional or national standards. For example in Israel; anyone wanting to do business in healthcare or with access to government healthcare systems must be ISO certified. This allows the Israeli government to know that a standardized set of security controls is in place, without having to navigate the specific data protection regulations of dozens of countries and hundreds or even thousands of localities.
How to Prepare for a Compliance Check or Audit
The last thing anyone wants to do is to schedule an audit or pen-test (which are both costly and time-consuming) only to have that testing reveal critical security issues that must be corrected and a re-test performed to confirm these issues are resolved. Of even more concern, these initial audits and tests can become part of permanent public records, making it harder to land contracts and secure business even after the issues have been addressed completely.
One of the ways a firm can prepare is by using a Breach & Attack Simulation tool like Cymulate.
Tools like these allow for testing an organization's security posture and controls and make it easier to identify (and fix) any issues BEFORE an audit or pen-test; instead of after. And most importantly, before a cybercriminal discovers and exploits your vulnerability.
After simulation and measuring the effectiveness of existing controls, Cymulate assigns a risk score to each area – taking into account many standards and frameworks. A high-risk level indicates a gap in coverage, misconfiguration of tools and/or platforms, lack of specific functionality, or reduced incident response-ability. Gaps can occur anywhere, from entry points like firewalls and email filters, through end-user threats like malware and phishing/email fraud, to weaknesses that allow an attacker to move around a network and exfiltrate (steal) data.
Digging down, once you are done the testing of your organization and after receiving your risk score, you can decide where you and your team should allocate people and budget toward fixing any issues that came up. This process can be complex, but could also be as straight-forward as altering some settings in platforms and tools to close off unauthorized avenues of entry and exit.
Cymulate customers regain days of time and valuable staff expertise for executing proactive security strategies. They also gain new peace of mind, knowing that their entire infrastructure is continually evaluated for effectiveness and tested to eliminate hidden vulnerabilities.