<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

How are regulators & governing bodies taking on cybersecurity in 2016

By Fouad Khalil on March, 15 2016
Fouad Khalil

VP of Compliance with extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. Key areas of focus include: Information Technology, Internal Controls over financial reporting, Sarbanes-Oxley, PCI DSS, and HIPAA/HITECH compliance. Experienced in security training and awareness as part of corporate governance and regulatory compliance. ISACA Member & CISA Certified

A Little Bit of History (2014 – Today)  You don’t have to go back very far to discover common trends occurring across information security areas in all industries and government agencies as they relate to cybersecurity.   The primary driving factor can be attributed to the never ending spate of breaches which have impacted nearly every type of business regardless of size or sophistication.  This has led to governing agencies or associations to take notice and begin to issue guidance/rules.  Here are just a few which come to mind:

  • The National Institute of Standards and Technology (NIST) released the Cybersecurity framework in February 2014. The framework is being employed voluntarily across the country, in a host of sectors and by organizations ranging from multinationals to small businesses.
  • The Securities and Exchange Commission (SEC) which is primarily tasked with protecting investors, maintaining market integrity and facilitating capital formation, has put cybersecurity threats and issues on the top list of priorities for 2016. The SEC’s Office of Compliance Inspections and Examinations (OCIE) has identified cybersecurity as one of the focus items on the 2016 examination priorities
  • As 2015 was wrapping up, the senate is looking to help bring about awareness and information sharing by passing the Cybersecurity Act of 2015 on 10/27/15 which will soon be enacted.  It grants legal protection to private companies and government agencies that share cybersecurity risks and threats. It is only through the combined efforts of government agencies and the private sector that we are able to keep up with and protect against cyber threats.

What to expect in 2016?

What does this all mean to you?           

Laws, regulations and standards are designed to protect sensitive confidential information that are sought out by cyber criminals, hackers and state sponsored groups.  The ongoing struggle is to ensure all access is authorized and that it is granted to individuals based on approved roles and responsibilities.  Government agencies and private sector organizations must stay ahead of this threat and consider all access pathways to protected data.  They are to adopt and implement a framework that paves the way to data protection, achieving continuous compliance and ensuring a less negative outcome if auditors come knocking.

The OCIE’s theme was “Prove it!!  Security is no longer just an academic discussion.”  Following OCIE’s first examination of cybersecurity compliance of selected broker-dealers and registered investment advisors a wide range of findings were issued in their February 2015 summary report and as a result, they will build key areas of concern into the 2016 audit plan.

The SEC is not the only governing body auditing cybersecurity compliance.  The US Food and Drug Administration (FDA), the Federal Trade Commission (FTC) and the Financial Industry Regulatory Authority (FINRA) are following suit.

On February 15, 2016 the FDA released draft guidance on post-market management of cybersecurity in medical devices.  The guidance outlines recommendations for managing post-market cybersecurity vulnerabilities in medical devices that contain software or programmable logic, including networked devices.

The FTC also confirmed in 2015 that “data security” is still a top priority (for a decade now).

On January 5, 2016 FINRA released its annual regulatory and examination priorities letter.  Included in their plan is to ensure that organizations can demonstrate that their procedures and policies related to cybersecurity, technology management and data quality are up to date, adequately resourced and strictly followed.

On February 9, 2016 Obama’s budget boosted cyber spending by 35% (total of $19 Billion) and added a federal CISO position.  This is after one year of constant disclosures about agency hacks that compromised millions of background check records.  The new federal plan includes steps to crackdown on lax security.

How to best prepare?

Governing bodies and associations will continue to reference the Cybersecurity framework as they build and execute their audit plans

Governing bodies, regulators and standards bodies are not slowing down any time soon.  They are continuously updating regulations and standards and taking actions and executing audits to ensure compliance with the cybersecurity framework. 

SSH Communications Security predicts:

  • Due to the rapidly changing nature of cyber threats, cybersecurity is a continued focus for many regulators and governing bodies.
  • Cybersecurity framework is considered a guidance today.  It is quite possible that it would be signed into law in the future.
  • Cybercrime will not go away in 2016, 2017 and beyond.  It is predicted to spread into all business sectors.
  • Organizations to be on the lookout for more scrutiny from regulators, longer audit efforts and hefty fines for non-compliance.
  • Cyber insurance rates are expected to sky rocket!! 

The number of detected security incidents climbed 38 percent in 2015 compared to a year earlier, according to PwC, and has been growing at a steady double-digit clip over the last five years. The total number of incidents captured in the survey now stands at 59 million, although the true figure is likely to be much higher.

Cybersecurity will continue to be a high priority.  Organizations need to adopt a best practice framework that will enable them to prevent, identify and respond to cyber threats.  Organizations may be selected for an audit to ensure compliance.  The NIST cybersecurity framework is a great starting point for all organizations to better prepare for threats and issues and to be ready for surprise audits.

References:

SEC - https://www.sec.gov/index.htm

OCIE - https://www.sec.gov/ocie

Cybersecurity Framework - http://www.nist.gov/cyberframework/

NIST - http://www.nist.gov/

FDA - http://www.fda.gov/

FTC - https://www.ftc.gov/

FINRA - http://www.finra.org/

 

 

 

 

 

Submit a Comment

Stay up to date