One of the challenges with regulatory compliance in cyber security is keeping up with a patchwork of domestic and international regulations. Adhering to applicable regulations certainly helps companies avoid fines and liabilities. But doing so doesn’t necessarily mean a company is truly protected against a data breach and resulting damages.
Consider, for example, some of the laws, standards, and regulations that can impact an organization’s cybersecurity response:
– Health Insurance Portability and Accountability Act (HIPAA): Requires healthcare organizations to control and limit access to electronic protected health information.
– Payment Card Industry Data Security Standards (PCI DSS): Requires merchants to protect cardholder data.
– Sarbanes-Oxley Act (SOX): Imposes high standards on institutions to control financial information.
Organizations cannot afford to underestimate the importance of basic compliance obligations. And evidence shows they’re not: The enforcement of cybersecurity regulations is increasing over time. However, merely complying with these regulations will not prevent a data breach, nor prevent exposure to damages and third-party liabilities.
Going Beyond Minimum Regulatory Requirements
Staying ahead of the regulatory curve in cybersecurity means taking steps to stay up-to-date on the latest information and solutions. Those steps include:
1. Cybersecurity training for employees at all levels.
Employees are often the weakest link in any cybersecurity defense planning. Employees share passwords. They click on phishing links in emails from unknown sources. And, they use unsecured Wi-Fi to connect to an organization’s information systems network. Even inadvertent mistakes can put an employer at risk of data breach. Training employees to recognize cybersecurity threats will help a company exceed its regulatory minimums.
2. Updating software and utilizing new defense technologies.
Software publishers release updates to patch known flaws in their products. Organizations that fail to install those patches leave their software and systems open for easy access by hackers. New cyber-defense technologies that incorporate artificial intelligence and machine learning can further reduce the risks of a data breach. Organizations that lag are the most vulnerable to regulatory problems.
3. Do not ignore cybersecurity basics.
The basics include identifying and prioritizing critical systems and data, as well as implementing strong password policies and multi-factor authentication. Companies should also develop recovery plans and communications protocols to notify appropriate parties of the data breach. These strategies will stop blunt force cyberattacks and will help keep the company in minimal regulatory compliance.
4. Procure cyber insurance coverage.
Cyber insurance can provide compensation for direct losses and third-party liabilities, plus regulatory fines and obligations resulting from a breach. The reality that no organization, regardless of size, is safe from a cyber attack. SMBs can suffer business-ending losses if they are not prepared to handle these expenses. Failure to plan means your company is taking on inordinate risk.
5. Make cybersecurity an executive-level function.
Cybersecurity has traditionally been relegated to an organization’s IT department, with little or no involvement by upper management. Regulatory authorities will inevitably look to an organization’s executive suite for answers in the event of a data breach. Organizations have begun to create management roles such as Chief Digital Risk Officer to focus executive attention on this problem.
Taking regulatory compliance seriously is the foundation of a good risk management. But organizations serious about protecting their data must take additional steps.