Cybersecurity Regulations – Looming Changes in the U.S.
Personalized Experiences provided by Software Platforms and the Burden to Protect Them
We have all enjoyed the personalized experiences that software platforms are providing as they learn more about us, but with this data comes a high burden to protect it. We are seeing the implications of this manifested in broken trust with Facebook and Equifax. Cybersecurity and privacy standards are also confronting organizations today as they race to comply with the May deadlines of GDPR. What is the U.S. doing in parallel to keep up?
Today, the U.S. lags significantly in cybersecurity and privacy standards and will soon need to make sweeping changes as breaches continue to increase in frequency and severity. Changes already implemented (and those forthcoming) to bring about increased enterprise accountability should compel every organization to do what it takes to get ahead of the curve.
Three primary drivers are forcing the U.S. government to bring about these changes to the current regulatory environment. These include recent high-profile failures, transfer of risk to U.S. consumers and recognition of current regulation inadequacy. These changes are aimed at further ensuring firms operating in the U.S. adequately protect all data (internal and external) across the entirety of their enterprise. Let’s explore these drivers in more depth.
1 – Recent High-Profile Failures:
The first primary driver is, collectively, the numerous recent instances where organizations have eroded and broken consumer trust by exposing massive amounts of personal data, despite delivering broad assurances that they have the highest security standards and governance practices in place. CSO magazine published a comprehensive list of notable data breaches, those involving Equifax, Yahoo, OPM, and Uber. The Equifax breach is particularly important because of its broad impact on ~148 million U.S. consumers, most of which had no relationship with Equifax.
2 – Transfer of risk to the U.S. consumer:
We as consumers are not in control of our data and privacy that sits inside the companies we interact with. Anyone we do business with or engage with, in a service capacity creates reams of private, sensitive data about its customers. The responsibility of an organization to protect this data is clear, but impossible for an individual to enforce.
Important Factors to Consider
Financial Trading Exposure / Valuation – A full-scale security or data breach has a significant negative impact on the market value of a firm as the details of the breach unfold over time (Equifax was -18% over the disclosure period).
Dwell Time – According to the 2017 Verizon Data Breach Investigations Report, the Mean Time to Identify (MTTI), or time elapsed before firms know they have a significant problem, was 191 days. In addition, the Mean Time to Contain (MTTC) these problems took 66 days.
This expected financial trading impact coupled with the ~8 month average discovery and control window creates an enormous financial opportunity for bad actors and speculators. They can launch a targeted attack, take a speculative position and orchestrate a breach to profit from these incidents as they are formally disclosed to the market. Until we address these points as an industry, the breaches will continue.
3 – Fragmented Regulations and Guidance:
Virtually all would agree that industry regulations like FINRA, HIPAA, and PCI have been a positive, foundational step in the right direction to encourage the adoption of best practices. These regulations are not, however, comprehensive. Recent guidelines from the SEC and White House are helpful in driving greater accountability and focus, but my expectation is that additional regulatory changes will surface in the near term to clarify accountability even further. GDPR was a monumental step in this direction of greater enterprise accountability for data protection. In taking this step, Europe has largely paved the way for the rest of the world follow their lead.
Recent Cybersecurity Milestones
Fall 2017: Equifax breach announced sending shockwaves through the industry, SEC investigates trading on non-disclosed information
Winter 2018: White House publishes The Cost of Malicious Cyber Activity to the U.S. Economy and the SEC issues Guidance on Cybersecurity Disclosures
Spring (May) 2018 – Enforcement of GDPR requirements goes into effect for all entities conducting business with or handling personal data of EU citizens. Fines for failing to comply with these requirements will be levied up to an amount equal to 4 percent of an organization’s annual revenue.
A Call for Action
Regulatory bodies and consumers alike are rapidly becoming less tolerant of data breaches, especially those that contain personal information. That decrease in tolerance is being met at the same time by a steep rise in the average cost impact of a breach on U.S. organizations. In fact, the most recent IBM Cost of Data Breach Study notes that average cost a breach for companies in the United States is now $7.35M, a 66 percent increase from the previous amount.
Leaders for today’s enterprise must absolutely ensure that they have an effective and comprehensive cybersecurity posture in place and that risks are understood and managed by properly resourced and capable teams. Certainly, enterprises should have a strong perimeter, but that perimeter cannot be 90% of an organization’s cybersecurity focus. The right combination of both defensive and offensive (threat hunting) capabilities are needed to reliably identify and contain compromises before they become breaches. Click here to read our white paper – Reducing Attacker Dwell Time – and learn more about what you can do to get ahead of this issue.
- White House Cyber Report on Cost of Malicious Activity