[BreachExchange] Politicians are coming with new cybersecurity requirements — are you ready?

[Audrey McNeil]

http://www.virginiabusiness.com/opinion/article/politicians-are-coming-with-
new-cybersecurity-requirements-are-you-ready

For the past two years I have predicted that if American businesses did not
step up their game on protecting data security, then government would step
in and force the issue. Consider how the Affordable Care Act came into
being. Health care has been on the government’s agenda since the Clinton
administration. The health-care industry spent more than a decade passing
the ball to K Street lobbyists, hoping to keep the government at bay.
Ultimately — whether right or wrong — the government took action.

Cyber data breaches have been on the radar for well over a decade, and
there is no letup on hacking events. Every day new breaches are reported by
companies of all sizes — from major financial institutions to local medical
practices. Other than breach notification laws, to date, government has
issued guidance to businesses. That soft touch appears to be ending. It is
no surprise that now New York has stepped to the forefront and proposed
actual regulations that will apply to financial institutions. While
industry analysts already are panning the proposed regulations, like most
government initiatives, there is likely little to stop implementation in
some form.

Some of the regulations appear to make perfect sense. State-regulated banks
and insurers must perform a self-evaluation of their cyber vulnerabilities
on an annual basis. In response, these entities must develop updated
cybersecurity plans, which include an immediate response plan for breaches.
These institutions also must designate an employee to act as the chief
security officer. Moreover, banks and insurers will have to notify the
state of possible cyber breaches within 72 hours. In reality, many of these
requirements are not totally out of bounds, and most experts advocate for
this level of planning as part of a company’s cyber risk management
efforts. The concern for the proposed regulations is that they appear to go
much further, for example, requiring all email communications with
customers to be encrypted.

If financial institutions had taken action and implemented realistic and
state-of-the-art cybersecurity plans, it is unlikely the government would
be proposing these regulations. When politicians perceive that business is
not acting to protect constituents, they act to fill the void. If the
current proposals are enacted in New York, it is likely that other states
will be forced to implement similar regulations.

If anyone thinks financial institutions will be the first and last industry
to be targeted for such regulations, think again. This is an easy topic for
politicians as the constant news of breaches is on voters’ minds. In all
likelihood, most voters have been impacted by a breach or identity theft in
some form. Cyber regulations are the kind of laws that do not cost the
government much, but look good to voters.

Where do we go from here? Businesses and their trade groups must wake up
and take data security seriously. Providing limited discussion and guidance
on the issue at annual conferences is not going to cut it any longer.
Continue down that road, and you can be assured government will step in
with regulations for your industry as well. Trade associations must take
action now — demanding that their members take action and ensuring that
their proactive efforts remain visible to lawmakers.

If the financial industry is first up, who is next? Almost surely one of
the three Hs will be targeted for governmental oversight.  Who are the
three Hs? Health care, hospitality and higher education. For the last year,
it has become apparent that these three industries are behind the eight
ball when it comes to data security and cyber insurance. The three Hs have
a lot in common that makes them high-value targets for cyber criminals: 1)
all have access to substantial personal information for the customers; 2)
all employ numerous people with a fairly high degree of turnover; 3) all
allow employees a high degree of access throughout their information
networks; and 4) all rely heavily on technology to achieve operational
efficiency.

Politicians looking to implement new regulations that purportedly affect
the most votes could not find three better industries to target. Of these,
health care is likely first up for additional mandates. The personal
identifying information owned by medical and health-care providers is the
“gold standard” for cyber thieves. Plus, recent high-profile incidents are
gaining national attention concerning the vulnerabilities of the industry.
Earlier this year, Hollywood Presbyterian Hospital in Los Angeles was hit
by ransomware. The hospital paid a $17,000 bitcoin ransom to get its
network unlocked. More recently, MedStar Health System was hit by
ransomware that created a nightmare for the provider. And the list goes on.
When providers have to cancel surgeries and cannot access patient files, it
garners peoples’ attention — including politicians.

Hospitality and higher education are not far behind. A number of
high-profile breaches have hit the hospitality industry. The media have not
paid as much attention as they did to retailers like Target or Home Depot,
but it is only a matter of time. Higher ed’s problem is the manner in which
colleges and universities are structured. It takes a lot of time and effort
to get buy-in that they are exposed. But again, one high-profile event and
possible legislation will be coming.

The health care, hospitality and higher education industries would be very
wise to get ahead of the curve. Acting now to implement cybersecurity
measures is not only prudent from an internal risk management standpoint,
but it has the potential to move these industries off the legislative radar
As 2016 winds down, these industries should make their New Year’s
resolution to tackle cybersecurity in a serious and systemic manner. If
not, be assured that legislators will likely step in to make them take
action.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160927/e6fe46ea/attachment.html>