The regulatory environment is evolving rapidly as national and international regulatory bodies attempt to keep pace with changing business models, technology infrastructure and continuously escalating cyberthreats.
The past 18 months have seen a slew of new legislation and guidance come into effect across the globe as regulators aim to protect individuals, organisations and economies from the effects of disruption, data loss and theft.
There’s no doubt that new ways of doing business, managing financial and corporate systems and recording individuals’ personal information require new governance principles, but the volume and complexity of regulations is creating significant challenges for the businesses that must comply. The issue is further complicated by the fact that new regulations have been designed with today’s interconnected digital ecosystems in mind; businesses are not just responsible for their own security and risk management, but that of their partners and suppliers as well.
And the clock is ticking. As the first penalties for infringements of the GDPR are proposed by the Information Commissioner’s Office (ICO) - at levels showing the regulator’s willingness to exercise its full powers - businesses can have no illusions that compliance risk management has to be top of the board agenda.
Common drivers and themes for regulation – accountability and control
The latest raft of regulations and guidelines are, understandably, driven by some of the mass breaches and disruptions that have taken place over recent years. Incidents such as the SingHealth breach in the Asia Pacific region, which saw hackers steal personal data of 1.5 million patients, and the Landmark White case in Australia, where the third party property valuation service used by several major banks was compromised, have directly resulted in regulators issuing recommendations to try and prevent a recurrence.
At the same time the financial sector, in particular, has identified the risks introduced when financial market institutions outsource critical infrastructure to third parties, such as cloud service providers. The European Banking Authority (EBA) outsourcing guidelines apply from 30th September 2019 and will require that financial institutions achieve robust assurance that third parties are compliant with security objectives. Their aim is to allow financial institutions to benefit from the advantages of outsourcing, while maintaining control of risk.
This brings us to the two common themes of the vast majority of regulations that have recently been enacted which, taken together, allow companies around the world, and in whatever industry, to get a workable perspective on the landscape.
First, businesses are instructed to establish senior level accountability for the strategic management of security and cyber risk.
This means Boards must show they are conversant and comfortable with the issues impacting cyber risk in the organisation. They need to establish reporting lines that give them the information to make informed decisions about their corporate risk strategy. Ignorance of the relevant issues is a compliance failure in itself. This shift in perspective around cyber risk in particular was underlined by one of seven priority recommendations that resulted from the SingHealth breach, that “cybersecurity must be seen as a risk management issue and not a technical issue.”
Second, organisations need to demonstrate that they have effective and appropriate risk management frameworks in place to monitor and control not only their own security and compliance performance, but that of their suppliers and third party partners.
This presents a particular compliance challenge due to the dynamic nature of security threats and this reinforces a principle that regulators have been trying to drive home for years: compliance cannot be a point-in-time, tick-box exercise.
If Boards are going to be accountable for the security and compliance performance of their company, they need to know that the company’s posture hasn’t altered in the weeks since the last board meeting. A supplier that is assessed only at the point of engagement could become a security risk if something in its own extended ecosystem changes.
A more sophisticated approach is needed so organisations can achieve the watchwords of senior accountability and risk management control that new regulations require. This means better communications between organisations and their suppliers and a partnership approach to risk management. Further, automated tools and technology that continuously monitor the security postures of supplier in real-time are needed to overcome the security gap created by point-in-time only evaluations.
Meeting the compliance requirements of new regulations is a complex – and costly – activity that requires organisations to change the way they think about security reporting, accountability, and the ongoing management of cybersecurity risk at the highest levels.
BitSight examines the current global regulatory landscape and how organisations can develop a risk management approach that is fit for the future in its latest white paper: Understanding cybersecurity and compliance risk in a complex regulatory world. Download it here.