What enterprises need to know about cybersecurity compliance [Q&A]
Just as cybersecurity threats are constantly evolving, so are the compliance regulations that organizations must follow. And as these regulations tighten so the risks of non-compliance become higher.
Cam Roberson, VP at Beachhead Solutions, a provider of cloud-managed PC and mobile device encryption, security, and data access control, sat down with us to discuss what enterprises need to know about the current state of cybersecurity compliance.
BN: Broadly speaking, how would you characterize organizations' knowledge of current cybersecurity compliance regulations?
CR: Overall, there's a rather broad spectrum right now when it comes to business' cybersecurity compliance knowledge and preparedness. Where, exactly, a company lands on that range depends on the expertise of their internal cybersecurity team (or external MSP/MSSP) support -- or, in many cases, their lack thereof. But compliance often flows downhill. The biggest corporations understand their responsibilities and requirements from a compliance perspective. That understanding filters down to how they secure supply chain partners through cybersecurity questionnaires and attestations, and how they select the cybersecurity insurance they put in place. Ultimately, auditors and regulatory enforcement actions will look down these chains as well, forcing all related businesses to achieve requisite awareness and compliant security measures.
But make no mistake about it -- keeping up with certain security compliance intricacies is getting both more complex and more imperative. For example, the latest 405(d) HICP guidance for HIPAA all but admits that compliance is likely too difficult for smaller businesses to realistically achieve without an expert security-minded MSP partner. That guidance also makes it clear that an organization itself can have relatively low internal knowledge on the legalistic details of regulations, as long as its MSP picks up that slack and leads businesses to secure and compliant practices and behaviors.
Another example of how big this knowledge challenge is the FTC Safeguards Rule now requires millions more businesses to adhere to strict cybersecurity practices and establish effective safeguards, no matter their readiness and whether they even know it or not. There are also many businesses that know just enough to be dangerous; for example, those that might pursue CMMC certification to access lucrative defense industry clients, while vastly underestimating the complexity of that compliance threshold.
BN: HIPAA -- governing healthcare data -- is one of the oldest security standards. But what about HIPAA do businesses need to be most aware of in 2024?
CR: Recent updates to the HIPAA law and its enforcement practices need to be on the radar of any business working with electronic patient data. The companies' existing security strategies will likely be impacted. First, while HIPAA borrowed from early frameworks, it predates current cybersecurity guideposts. Under the recent H.R.7898 bill, healthcare businesses are now allowed to map HIPAA to NIST CSF, ISO 27001, and other modern standards, in order to align their security policies to these more robust control sets. They should do so.
Second, the recently released major overhaul of the 405(d) HICP guidelines -- which are designed to advise businesses on HIPAA compliance -- includes sobering new prescriptive guidance for achieving effective controls. As I mentioned, this overhaul comes with a clear shift in tone. Where previous guidance instructed businesses on how to achieve HIPAA compliance by themselves, the guidelines now conclude it’s no longer reasonable for smaller businesses to go it alone without support from managed service providers, given HIPAA’s increased complexity and today’s threat landscape.
Finally, the average HIPAA fine enforced by regulators has actually come down in cost. Good news, right? Not quite. Because the fines are lower, they are now enforced far more frequently, increasing the danger for businesses. Previously, regulators would hit businesses with lethal seven-figure fines, but very rarely. The new approach utilizes $35,000-50,000 fines per violation that businesses can realistically pay -- and expects them to. Naturally, enforcement is increasing, making expert execution of comprehensive HIPAA-compliant practices all the more essential.
BN: The FTC Safeguards Rule is becoming increasingly ubiquitous and has big teeth. How challenging is it to maintain compliance?
CR: The first challenge for businesses is to understand that they're required to demonstrate compliance in the first place. The FTC Safeguards Rule states that any business (under FTC jurisdiction and not that of another regulator) that acts as a 'financial institution' must maintain an effective security program to keep customer data protected and confidential. The surprise for many is that 'financial institution' means any business involved in transferring money to and from customers. That includes millions of unsuspecting businesses -- from mortgage brokers to car dealerships to roofing companies.
From a security perspective, the FTC Safeguards Rule specifically calls for a business to designate a qualified information security program leader (which could be an internal employee or MSP/MSSP professional). Businesses must conduct written risk assessments and introduce safeguards to meet those risks -- including access controls, data encryption, multi-factor authentication, secure data disposal, activity logs, and more. Businesses must also conduct continuous security testing, introduce employee security training, monitor service providers, and keep their security programs aligned with often-changing requirements. The FTC Safeguards Rule big teeth come in the form of $100,000 fines per violation, and additional fines that can even target a business's individual officers and directors. Non-compliant businesses may also put their licensing at risk.
While that list of compliance requirements may seem daunting for businesses unfamiliar with cybersecurity regulations, meeting those duties is well within the wheelhouse of experienced security professionals. The FTC Safeguards Rule is currently in enforcement: businesses that do find it challenging to comply should quickly find capable security personnel or partners eager to help.
BN: CMMC 2.0 is a particularly complex certification for anyone working with US government contracts. What are some of the misconceptions with this tricky security standard?
CR: As compliance frameworks go, CMMC is indeed particularly dynamic. It requires businesses and their partners to keep on top of developments and adjust security postures accordingly. The final implementation of CMMC 2.0 is set for 2025, which includes major changes from the previous version, and likely more to come.
CMMC includes 110 security controls, with some the subject of a healthy back and forth between the rulemaking board and the community to define exactly what’s required. (Differing approaches to achieving FIPS validation come to mind.) Any business with the misconception that regulations like CMMC are written in stone and not the living, evolving frameworks they are will need a reality check, and likely a more vigilant and adaptive approach to security than they currently have.
Another troublesome source of misconceptions is that some tools in the marketplace claim to deliver on CMMC compliance, but don't at all. Businesses may then have false assumptions that they’re correctly gearing up for CMMC compliance and a bright future with government-affiliated clients -- when they're actually far off from that goal. When it comes to the expertise required to achieve cybersecurity compliance, CMMC has a particularly high threshold.
BN: How does cyber insurance fit into the security compliance discussion? Is it necessary?
CR: Cyber insurance should go hand-in-hand with cybersecurity compliance. Cyber insurance mitigates the risk and financial impact of cybersecurity incidents, including the costs of a data breach, related investigative, legal, and public relations expenses in the aftermath, as well as fines from regulators. At the same time, insurers aren't in business to lose money, and will require that a business actively demonstrates cybersecurity protections that mirror the requirements mandated in cybersecurity compliance frameworks. Therefore, a business able to meet compliance mandates is well-positioned to successfully meet cyber insurance policy requirements and assure its protections.
I want to make the point that cyber insurance isn't just becoming a necessity. It's destined to be unavoidable. The day is coming soon when nearly every organization will be required to carry cyber insurance, because a cybersecurity failure can so easily wipe out a business. The government has an interest in the stability of businesses representing key infrastructure. Smart lenders already require smaller businesses to carry cyber insurance, after being burned by companies that couldn't repay their loans. Many third-party contracts now regularly require cyber insurance for supply chain partners. Even MSPs are increasingly writing cyber insurance requirements into their managed service agreements to protect themselves. Ultimately, that growing pressure will force businesses to improve their cybersecurity practices across the board.
Image credit: BiancoBlue/depositphotos.com