This article originally appeared in our Top 10 Ethics & Compliance Predictions & Recommendations for 2018
Cyber security has been a priority – current events have made it an urgent one. Companies of all sizes and maturity levels are falling victim to cyber attacks. Large enterprises are experiencing breaches that compromise the personal information of millions upon millions of individuals, while small-to medium-sized organizations are being targeted as entry points to infiltrate supply chains and gain access to larger organizations. This has made third parties an increased concern for cyber risk, and rightfully so. According to the NAVEX Global 2017 Third-Party Risk Benchmark Report, cyber security and data protection have become the top concern for organizations’ third-party risk management programs.
Cyber attacks are not only increasing in frequency and size but also in complexity. New threat types are emerging, and old threats are manifesting in new ways.
Cyber attacks are not only increasing in frequency and size but also in complexity. New threat types are emerging, and old threats are manifesting in new ways. The now infamous WannaCry attack is a new variation of an old threat and has made “ransomware” a household term. Whereas stealing information has always been a concern, now cyber criminals are holding that information hostage for a ransom at the threat of sharing it publicly, manipulating it or destroying it.
The cyber security environment is expanding as well. Data is proliferating more rapidly than ever and there has been a dramatic increase in the number of digital devices connected to the global IP network. The use of these devices by employees to store and access sensitive information has effectively increased the surface area that cyber security programs are required to protect.
In short, companies are starting to feel the urgency of the risks today. As security experts like to say, “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”
NIST Framework Is Becoming a Prerequisite for Doing Business in the U.S.
Governments often use public procurement regulations to influence and advance business practices, and cyber security is a prime example. On that front, the National Institute of Standards and Technology (NIST) Cyber Security Framework is becoming the de facto approach for the private sector to use to advance their cyber risk management practices.
NIST Cyber Security Framework is becoming the de facto approach for the private sector to use to advance their cyber risk management practices.
The Department of Defense (DOD), the General Services Administration (GSA), and the Department of Health and Human Services (HHS) have already incorporated some guidelines from the NIST Framework, particularly into their supply chain regulations. The DOD has required the highest level of compliance for contractors among government agencies, instituting mandatory cyber security requirements to all relevant defense contract solicitations and imposing contract terms requiring compliance with several standards highlighted in the NIST Framework. For contractors that deal with its data or IT systems, HHS contracts feature a security clause requiring fulfilment of the standards within the NIST Framework for risk management and security controls in federal information systems.
The private sector has generally been supportive of making cyber security requirements more consistent across the different government agencies’ contract requirements, and the NIST Framework is often mentioned as a basis for developing more consistency among government procurement practices.
New Global Requirements
Cyber security standards are being raised throughout Europe and Asia as well, with national governments encouraging tighter security measures when working with the private sector.
- European Union: The new Network and Information Security (NIS) Directive calls for additional security protocols specific to government agencies when utilizing digital service providers and considers extending these measures to contractors and suppliers
- United Kingdom: In order to qualify for government awards, private sector government contractors must comply with the Cyber Essentials Scheme, involving protection of citizens’ personal information or government data classified at the “Official” level and above
- Australia: Government contractors and suppliers must comply with Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements; the Department of Finance requires suppliers to include data protection plans using industry accepted standards with their proposals/contracts and are required to report breaches
- Japan: Contractors are required to abide by security policies aligned with government procurement guidelines
Key Steps for Organizations to Take
Cyber security risk usually extends to all business units, operational units, employees and key third parties. That is why the compliance function is playing a critical role. Whenever organizations need to do something on an ongoing and systematic way, where people are to be held accountable, Compliance is front and center. Here are five ways Compliance can play a pivotal role in a cross-functional approach to cyber security.
Own or Implement a Cyber Risk Assessment
Compliance regularly operates in the world of risk assessments and understands how to identify an organization’s greatest risk by developing a comprehensive risk profile. With a full understanding of a company’s risks and threats, Compliance can guide an organization’s approach and control environment to effectively manage and mitigate risks while at the same time deploying scarce resources toward the most significant among them.
Embed Regulatory Requirements into Business Operations
As with other enterprise-wide risks, cyber security is a regulatory compliance challenge for an increasing number of companies. As mentioned above, there is a growing number of fairly nuanced regulations addressing cyber security that apply to private and public sectors, specific industries, and specific data sensitivities. The compliance function has the competence to design and implement policies, procedures and controls that meet these requirements.
Connect the Functional Dots Across the Organization
Cyber security is an enterprise-wide risk and requires a cross-functional approach for management. Compliance is skilled in building a systematic approach across an enterprise. It has the regular contact and seniority to engage effectively with the C-suite, Legal, HR and other functional and operational teams. Compliance can connect the dots across an organization.
Address the “People & Processes” of Cyber Security
Cyber security involves an integrated approach to “people, processes and technology.” The compliance function has deep insights into how to engage broadly with employees and how to collect and analyze data through the monitoring and audit processes needed to manage risks. This proficiency in influencing employee behavior and organizational culture are necessary skills needed to complement the protection efforts deployed by the technology function.
Developing & Tracking Program KPIs
As another aspect of monitoring, Compliance has expertise in developing key performance indicators (KPIs) and specific metrics to track progress and ROI, as well as developing a rhythm for board reporting, and reporting externally, as appropriate. Consistent application of KPIs will help cyber security programs mature over time with a cadence toward continuous improvement. Being on a trajectory of maturing practices not only builds stronger resilience but also demonstrates to customers, partners and regulators, as needed, a commitment to risk management, compliance and best practices.
Now, more than ever, Compliance must play an integral part in any organization’s cross-functional cyber security program to make sure such efforts are enterprise-wide, consistent with regulatory requirements and embedded in how the company operates and its people conduct their work. As with other compliance issues, organizations will need to be in a position to tell their story of continuous improvement through KPIs, metrics and demonstration of using best practices.