Navigating the Cybersecurity Landscape

by | Dec 18, 2023 | Compliance

Introduction

As a CIO, understanding and preparing for various cybersecurity compliance requirements is crucial. This blog offers insights into preparing for CMMC, CCPA, SOC-2 Type 2, NYDFS, FTC Safeguards Rule, and SEC compliance, focusing on their general requirements.

Understanding Cybersecurity Compliance

Key Regulations and Standards

CMMC (Cybersecurity Maturity Model Certification):

General Requirements: Implementing layered cybersecurity practices, documentation of processes, and maintaining cybersecurity hygiene. It’s tiered across five levels, each with increasing security requirements.

CCPA (California Consumer Privacy Act):

General Requirements: Giving California residents more control over their personal data, including the right to know what data is collected, request deletion, and opt-out of the sale of their data.

SOC-2 Type 2:

General Requirements: Demonstrates a company’s ability to securely manage data protecting the interests and privacy of clients. It requires a detailed audit of control activities over a minimum of six months.

NYDFS (New York Department of Financial Services Cybersecurity Regulation):

General Requirements: Establishing a cybersecurity program, adopting a written policy, designating a Chief Information Security Officer, implementing access controls, conducting risk assessments, and reporting cybersecurity events.

FTC Safeguards Rule:

General Requirements: Financial institutions must develop, implement, and maintain a comprehensive information security program. It includes risk assessments, access controls, employee training, regular testing, and oversight of service providers.

SEC (Securities and Exchange Commission) Compliance:

General Requirements: Publicly traded companies are required to implement cybersecurity risk management policies and procedures, disclose cybersecurity risks and incidents, and ensure accurate record-keeping.

Preparing for a Compliance Review

Step 1: Conduct a Comprehensive Risk Assessment

Evaluate your IT infrastructure and practices against the specific requirements of each regulation.

Step 2: Develop and Implement Robust Security Policies

Tailor your policies to meet the requirements of each standard, with a focus on data privacy, access controls, and risk management.

Step 3: Ensure Proper Data Management and Protection

Align your data management and protection strategies with the specifics of each regulation, emphasizing consumer data rights (CCPA) and secure data handling practices (SOC-2 Type 2, NYDFS, FTC Safeguards Rule).

Step 4: Regularly Update and Patch Systems

Ensure your systems and software are updated regularly to comply with the technical safeguard requirements of these standards.

Step 5: Train Staff on their respective roles regarding cybersecurity

Make sure that staff are trained on organizational cybersecurity requirements, general cybersecurity hygiene and specific responsibilities that exist as part of their role within the organization.

Step 6: Prepare a thorough Incident Response Plan

Identify an incident response team and develop an incident response plan which steps through what is to be done based on type of incident and potential severity.  Test the incident plan periodically so you aren’t trying it out for the first time during an actual incident.

Step 7: Document Compliance Efforts

Maintain thorough documentation for all compliance-related activities, including internal audit checks, a critical element for proving adherence to these standards.

Best Practices for Risk Assessment and Data Protection

Effective risk assessment and data protection are pillars of robust cybersecurity compliance. Here are some best practices to enhance these areas:

Risk Assessment Best Practices:

– Conduct regular and comprehensive risk assessments to identify vulnerabilities in your IT infrastructure.

– Utilize advanced tools and methodologies like penetration testing and vulnerability scanning.

– Involve cross-functional teams in the risk assessment process to get diverse perspectives.

– Stay updated with the latest cybersecurity threats and adjust your assessment strategies accordingly.

Data Protection Best Practices:

– Implement strong encryption methods for data at rest and in transit.

– Regularly update your data protection policies to comply with evolving regulations.

– Ensure strict access controls and use multi-factor authentication for sensitive data access.

– Conduct regular data backup and recovery drills to minimize the impact of data breaches.

 

 

Insightful Tips for Continuous Compliance Improvement

Continuous improvement in compliance is essential for adapting to evolving cybersecurity landscapes. Here are some tips to keep your compliance efforts proactive and effective:

– Establish a culture of continuous learning and improvement within your cybersecurity team.

– Regularly review and update your compliance policies to align with new regulations and standards.

– Engage in periodic training and awareness programs for your employees.

– Invest in technology that facilitates compliance monitoring and reporting.

 

Conclusion

Companies that look to incorporate compliance as part of an organizational cyber risk strategy (as opposed to a ‘set it and forget’ approach) tend to achieve their compliance goals in a more cost effective manner because the compliance measures are developed more organically within the organization.   If you would like to learn more about how best practices in terms for preparing your organization for compliance, please contact us at [email protected]

Log4j: FTC Warns Organizations they may face Legal Action

by | Jan 20, 2022 | Compliance, Cybersecurity

The Federal Trade Commission (FTC) released an alert, warning companies that they may face legal penalties if they aren’t taking the proper steps to mitigate Log4j vulnerabilities to protect consumer information. Earlier this month, FTC officials said there is a “severe risk” to consumer products, software, and applications caused by a vulnerability in the Java logging package. This vulnerability is being exploited by hackers and it is critical that vendors who rely on Log4j take the proper precautions to reduce their likelihood of an attack.

An example of this is the Equifax breach, which was caused by failing to patch a known vulnerability. Because of this vulnerability, the personal information of 147 million consumers was left exposed. Equifax paid $700 million to settle actions taken by the FTC. The FTC intends to pursue any companies that fail to take steps to protect consumer data from exposures caused by Log4j, or similar vulnerabilities that may occur in the future.

The FTC advises companies to keep your Log4j software package updated to the most recent version, and reference Log4j Vulnerability Guidance provided by CISA. This FTC alert is a wake-up call to many companies that cyber threats are evolving, and so are security requirements and legal actions that will be taken if they do not take the proper steps to protect consumer information.

Government Agencies Release Updated Cybersecurity Guidelines

Government Agencies Release Updated Cybersecurity Guidelines

by | Aug 11, 2021 | Compliance, Cybersecurity

While cyber attacks such as ransomware have steadily increased in frequency over the past few years, more recent, widely publicized attacks like the Colonial Pipeline attack have finally caused government agencies to sit up and start taking action. The White House’s unprecedented executive order, for example, aims to help modernize the federal government’s cybersecurity practices, and the FBI recently requested an additional $40 million for cybersecurity defenses. While these important steps are aimed at strengthening the government’s response to cyber threats, other government agencies are now starting to issue updated guidelines for regulated industries. Much of these new guidelines cover a lot of the basics of cybersecurity practices, like creating a cybersecurity policy and encrypting sensitive data. However, what becomes clear is that for regulated industries to fully adopt these guidelines there must be a focus on managing and mitigate the human risks involved in cybersecurity. 

Of the various government agencies issuing new cybersecurity guidelines, the U.S. Department of Labor’s Employee Benefits Security Administration guidelines is notable for being the first time the department has issued any sort of cybersecurity guidance. The guidelines are aimed at entities covered under the Employee Retirement Income Security Act, including “benefit plan sponsors, plan fiduciaries, record keepers and plan participants” and are designed to protect the estimated $9.3 trillion in assets the department oversees. Included in the guidelines are practices widely considered essential for defending against cyber threats, including a formal cybersecurity policy, annual risk assessments, and conducting security reviews of 3rd party vendors. 

Many of the guidelines issued by the Department of Labor are aligned with the New York Department of Financial Service’s 2017 cybersecurity regulation, which itself is starting to ramp up its own guidelines. In June, the NYDFS released updated FAQ’s that offer further guidance on complying with the state regulation while also releasing new ransomware guidelines. The updated FAQ shows the department is not messing around. While the NYDFS outline which covered entities can file for an exemption, they also emphasize that even exempt entities must comply with certain aspects of the regulation, such as maintaining a cybersecurity policy, conducting risk assessments, and notifying the department of any cybersecurity events. In their ransomware guidance, the department cites the importance of practices such as cyber awareness training, MFA and password management, and strong access privilege restrictions — all of which are already required under the department’s regulation. 

While many of the cybersecurity guidelines government agencies are now offering cover some of the basic cybersecurity practices, implementing and maintaining these guidelines can be pretty daunting for a business to try to put in place. What becomes clear is that even the technical aspects of cybersecurity involve managing and mitigating human risks. For example, the NYDFS urges covered entities to implement a patch management program, which requires leadership ensuring their IT team regularly apply patches to the organization’s software and systems. If their IT fails to do this, they could be slapped with millions in fines. It’s therefore essential businesses focus not only on staying compliant, but also ensuring their teams are developing habits that align with their cybersecurity needs. Managing these human risks first and foremost involve three factors: keeping tasks simple, using prompts for employees, and providing positive feedback. In combination, these three factors will help to ensure employees can develop and sustain these habits that, ultimately, can make or break an organization’s cybersecurity posture.

First American Facing Hefty Fines for Data Breach

First American Facing Hefty Fines for Data Breach

by | Jul 24, 2020 | Compliance, Cybersecurity, Data Breach, Regulations

On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.

The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.

Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.

First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.

While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.

News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.

E.U. and U.S. Privacy Framework Struck Down

E.U. and U.S. Privacy Framework Struck Down

by | Jul 22, 2020 | Compliance, GDPR, Regulations

Last week the top court in the European Union found that Privacy Shield, the framework used to transfer data between the E.U. and the U.S., does not sufficiently protect the privacy of E.U. citizens. and is therefore invalid. The courts decision has left many businesses scrambling and throws the difference between E.U and U.S. privacy standards in stark relief.

Privacy Shield was a data sharing framework enacted by the E.U. courts in 2015. Since then, however, the E.U. established the General Data Protection Regulation (GDPR) three years later, which places stricter privacy requirements when processing the data of E.U. citizens.  According to the Washington Post, over 5,300 companies — including Facebook, Google, Twitter, and Amazon — that signed up to use the Privacy Shield framework now need to find a new way to handle the data of E.U. citizens in the United States.

The court made their decision after privacy expert Max Schrems filed a complaint against Facebook for violating his privacy rights under the GDPR once Facebook moved his information to the U.S. for processing. While the GDPR does allow the data of E.U. citizens to be transferred to other countries, that data must continue to comply with the GDPR standards after it is transfer. The problem with Privacy Shield, according to the E.U. decision, is that the U.S. government has wide-reaching access to personal data stored in the United States. And while the E.U. acknowledges that government authorities may access personal information when necessary for public security, the courts ultimately found that the U.S. does not meet the requirements of the GDPR “in so far as the surveillance programmes…. are not limited to what is strictly necessary.”

This decision starkly highlights the differences not only in E.U. and U.S. privacy regulations but also the privacy standards used in surveillance activities. In a statement to the Washington Post, Schrems said, “The court clarified…that there is a clash of E.U. privacy law and U.S. surveillance law. As the E.U. will not change its fundamental rights to please the [National Security Agency], the only way to overcome this clash is for the U.S. to introduce solid privacy rights for all people — including foreigners….Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”

Moving forward, U.S. companies processing E.U. citizen data will either need to keep that data on servers within the E.U. or use standard contractual clauses (SCCs). SCCS are legally agreements created by individual organizations that cover how data is used. Of course, any SCCs will need to be compliant with the GDPR.

Time will tell exactly how this ruling will affect U.S. businesses with data from E.U. citizens, but this is only one of many example that the E.U. is taking consumer privacy extremely seriously. All businesses that have users within the U.S., large or small, should therefore carefully assess their privacy practices and ensure it is in line with the GDPR. At the end of the day, it’s better that have a privacy policy that is stricter than it needs to be than to scramble at the last second when the E.U. makes a new ruling like they did last week.

Compliance is Not a Security Strategy

Compliance is Not a Security Strategy

by | Jul 8, 2020 | Compliance, Human Factor, Regulations

The good news: Many companies these days are using cybersecurity controls and security training for their employees. The bad news: A lot of these businesses are putting in the place the bare minimum in order to meet compliance requirements. The truth is, however, the you can be compliant but not secure. Remember the big Target breach in 2013? Hackers were able to take the debit and credit card information of millions are shoppers by accessing Target point-of-sale systems. The irony is that, just months before the attack, Target was certified PCI compliant. In the words of then-CEO Gregg Steinhafel, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” Simply put: Target was compliant but not secure.

Creating a Culture

If your security awareness program is a “check the box” compliance program, you can bet your employees are going through the same motions as you are. How has that improved your security posture? It hasn’t.  Instead, creating a strong security program is first and foremost about creating a culture around security. And this has to start at the top, with your executive officers and your board. If business leaders set a security-focused tone, then employees will likely follow suit.

The reason a business can be compliant and not secure is because cybersecurity isn’t a one and done deal. Compliance is a state, cybersecurity is an ongoing process that involves the entire organization — from the boardroom to the cubicle. Verizon Data Breach Investigation Report shows that the human factor is the largest factor leading to breaches today. If that’s the case, perhaps instead of checking off the boxes and before investing in that new machine learning intrusion detection gizmo, consider focusing on human learning, engagement and the behaviors that can drive a mindful security culture.