SlideShare ist ein Scribd-Unternehmen logo

Forecast cybersecurity regulation v3

Joe Orlando
Joe Orlando

Regulators Cannot be Viewed as the Leaders in Cybersecurity Strategies. The Challenge Exists just to keep up!

Leadership & Management
1 von 13
Downloaden Sie, um offline zu lesen
Summary Due to the volatility, force and pace with which technological innovation is moving through the global economy, cyber risk has become the biggest contemporary threat to all actors, especially private enterprise. Taking a regulatory perspective must be a key part of any overall successful strategy. However, as regulations are growing increasingly complex, doing the minimum in compliance is not enough anymore. It is evident, more and more, governments and customers will view a provider’s security posture less from a compliance perspective and more as a competitive differentiator. A provider of products and services will have to consider compliance simply as the ante to earn the right to compete in the marketplace. Drivers for regulations are most abundant in Financial Services; Healthcare; Telecommunications; Critical Infrastructure and Government systems. Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection standards hasn't gained traction, but it's not for lack of an effort. A search for "cyber security" yields 141 pieces of legislation — including bills and amendments — that have gone before the 115th Congress with those words in the title or body and cover a variety of areas. Given the current focus of the Administration to “deregulate” and a partisan Congress, it is less likely that sweeping national new regulation will be realized over the next two years. This means that the States (like what we are seeing from California, Maryland and New York) will be driving a great deal of the regulatory changes. It is more than fair to say that regulation alone does not make any system more secure. Coming to terms on consistent metrics will be key. One cannot manage what one cannot measure. The Challenge in Cybersecurity Regulation Cybersecurity is a fast-morphing mix of adapting new behaviors in people to new ways of doing things and with even newer technologies. This means that making any assumptions about what regulations will be needed six days; six weeks; and six months from now is more than
Page 2 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] problematic. Most legislation is initiated well after the fact and driven by a wave of litigation and special interest lobbying. Meaningful cyberwarfare requires a more expeditious approach. To regulate something, you must know all the players; the expected and desired actions of each of the players and the mutually agreed upon desired outcome. To leverage the sports metaphor, we know the right number of players in the game; their positions relative to one another and what it means to score a point. In the cyber world, we can’t know all the players; we cannot predict “how” they will arrive to play; whether they come to “score points” or to simply disrupt the game; and the rules, as outlined, are merely guideposts for what to avoid. And, currently, only one team plays offense and the other defense, throughout the competition. This game never ends. In order for citizens, governments, and industries to be able to begin to effectively regulate cybersecurity, we must find a common definition of terms; a comprehensive series of meaningful metrics; a consensus on approach; a consistent application across geographies; a constructive incentive scheme and a crushing global deterrent. The current internet infrastructure and regulatory frameworks are poorly tailored to keep pace with the evolution of the internet and the digital realm in general. A very significant number of NIST publications are in the process of being revised, rewritten and/or retired based on the introduction of new technologies and the obsolescence of others…and most of these publications were mostly written since in this millennia. NIST Special Publication 800-53 Rev. 1 was published in 2008. Therefore, a majority severely lag behind present technology and threat level awareness. This is because the internet infrastructure was not designed to cope with present data quantities and the myriad of actors challenging the very scope and content of it. Cyber security legislation and compliance – if come into force – is ever-shifting. Consequently, it is crucially important that companies anticipate tomorrow‘s regulatory environment. In particular, when they are active in multiple jurisdictions, it is fundamental to systematically track evolving laws and regulations in order to be able to respond to legal and political challenges on time.
Page 3 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] Which Laws Kick Started Cyber Regulations? There are three main federal cybersecurity regulations 1996 Health Insurance Portability and Accountability Act (HIPAA) 1999 Gramm-Leach-Bliley Act 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA) These three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information. However, these rules are not foolproof in securing the data and require only a “reasonable” level of security. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”. But, these regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, the vague language of these regulations leaves much room for interpretation. More Recent Federal Cybersecurity Laws In a recent effort to strengthen its cyber security laws, the federal government is introducing several new cyber security laws as well as amending the older ones for a better security ecosystem. Amendments and expansion of these existing laws could happen well before any new regulation is passed. Below are a few of them: Cybersecurity Information Sharing Act (CISA): Its objective is to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015 Cybersecurity Enhancement Act of 2014: It was signed into law December 18, 2014. It provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
Page 4 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] Federal Exchange Data Breach Notification Act of 2015: This bill requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach. National Cybersecurity Protection Advancement Act of 2015: This law amends the Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives. There have been very recent moves to create centers for cybersecurity expertise and focus driven out of the DHS. Reiterating that most regulation is as a result of a great deal of litigation and well documented history cyber security losses, sustainable regulation has to be driven by collaborative efforts on both sides of the aisle in Congress. In the current session of Congress, over 141 pieces of cyber related legislation has been introduced. Working against rapid adoption of many of these efforts are aggressive efforts by the current Administration to deregulate; lobbying for industries resisting regulation; partisan politics; lack of consistent interpretation of terms, outcomes, approaches, metrics and enforcement entities; jurisdictional conflicts; geographic dispersion; and the absence of a genuine economic incentive. Note: To explore the Acts (and Amendments) in Congress in this session regarding Cybersecurity: https://www.congress.gov/search?q=%7B%22congress%22%3A%22115%22%2C%22source%22%3A%22 legislation%22%2C%22search%22%3A%22cybersecurity%22%7D&searchResultViewType=expanded In the Absence of Federal Laws We Will See More from State Laws State governments also have taken sincere measures to improve cyber security by increasing public visibility of firms with weak security. Cybersecurity Laws of California In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach, must disclose the details of the event. The security breach regulation regulations punish firms for their cyber security failures while giving them the freedom to choose how to secure their systems.
Page 5 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] This regulation creates an incentive for companies to proactively invest in cyber security to avoid potential loss of reputation and economic loss. This worked well for California and later several other states have implemented a similar security breach notification regulations. Cyber Security Laws of New York The financial services industry is a significant target of cyber security threats. Over the past few years, the New York State Department of Financial Services (“DFS”) has been closely monitoring the ever growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cyber security programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The New York Cyber Security regulation has been effective since March 1, 2017. Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations commencing February 15, 2018. More State Regulations to Come Cybersecurity continues to be a concern for government and the private sector. It has enormous implications for government security, economic prosperity and public safety. States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more. At least 35 states, D.C. and Puerto Rico introduced/considered more than 265 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include: • Improving government security practices. • Providing funding for cybersecurity programs and initiatives. • Restricting public disclosure of sensitive government cybersecurity information. • Promoting workforce, training, economic development.
Page 6 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] At least 22 states have enacted 52 bills so far in 2018. Every day, more regions introduce new privacy and data protection bills on their way to become law. http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity- legislation-2018.aspx A Glimpse into a Globalized Regulatory Future Nothing in recent history has had a global impact on industry as much as the General Data Protection Regulation (GDPR). The expected departure of the UK from the EU (Brexit) will most certainly be a catalyst for additional regulation. By mid-2019, forced compliance of the NIS Directive by the EU member states will take place. Therefore it is important to know if our business is effected by the NIS, what it requires us to do, and what this might mean in the years to come. https://www.ncsc.gov.uk/guidance/introduction-nis-directive The premise behind the NIS Directive is a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare. The technical requirements for the NIS Directive are limited. In order to enforce compliance with local regulation, a government must designate Competent Authority's (CAs) having the power to judge whether operators of critical infrastructure are complying with the regulation. CAs are part of existing government agencies, although their structure can be different in each country. For example, in the UK there is a CA for each sector such as railroads and energy, where the Germans rely on a single CA which is the BSI (Bundesamt für Sicherheit in der Informationstechnologie). Since the implementation of the NIS in local regulation is very recent, it still has to be shown how these CA’s will adopt their new responsibilities. A Small Sample New Global Requirements Cyber standards are being raised throughout Europe and Asia as well, with national governments encouraging tighter security measures when working with the private sector. European Union: The new Network and Information Security (NIS) Directive calls for additional security protocols specific to government agencies when utilizing digital service providers and considers extending these measures to contractors and suppliers United Kingdom: In order to qualify for government awards, private sector government contractors must comply with the Cyber Essentials Scheme, involving protection of citizens’ personal information or government data classified at the “Official” level and above. From 1 October 2014, Government requires all suppliers bidding for contracts
Page 7 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme (base cost of about £300) https://www.cyberessentials.ncsc.gov.uk Australia: Government contractors and suppliers must comply with Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements; the Department of Finance requires suppliers to include data protection plans using industry accepted standards with their proposals/contracts and are required to report breaches. Australia’s Notifiable Data Breaches scheme The NDB scheme applies from 22 February 2018 to all agencies and organizations with existing personal information security obligations under the Privacy Act. It was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The scheme includes an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches. Who must comply with the NDB SCHEME? The NDB scheme applies to agencies and organizations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organizations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among other Breach Notification Form: https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC- NDB Japan: Contractors are required to abide by security policies aligned with government procurement guidelines. To Anticipate What Will Need Regulating Regulations become dated the moment they are placed into effect. Trying to anticipate where regulation will be needed can be driven by what trends in technologies we can forecast.
Page 8 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] These trends bring together technologies with the potential to initiate lasting transformation in the digital ecosystem, which we define as all of the infrastructure, software applications, content, and the social practices that determine how the ecosystem is used. The largest trends are as follows: 1. Cloud computing 2. Big data 3. The Internet of things 4. Mobile Internet 5. Brain-computer interfaces 6. Near-field communication (NFC) payments 7. Mobile robots 8. Quantum computing 9. Internet militarization/weaponization 10. Blockchain and open journaling technologies 11. Crypto Currencies A Consensus on Predictions that will Impact Cybersecurity 1. While Governments and Private Enterprise Slowly invest In Artificial Intelligence to support Cyber security, Attackers will aggressively invest in AI to aid in their attacks. 2. Growing 5G Deployment will open up a new dimension in cyber-attack surfaces A number of 5G network infrastructure deployments kicked off this year, and 2019 is shaping up to be a year of accelerating 5G activity. While it will take time for 5G networks and 5G-capable phones and other devices to become broadly deployed, growth will occur rapidly. IDG, for example, calls 2019 “a seminal year” on the 5G front, and predicts that the market for 5G and 5G-related network infrastructure will grow from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound annual growth rate of 118 percent. Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For home users, it will also make it more difficult to monitor all IoT devices since they bypass a central router. More broadly, the ability to back-up or transmit massive volumes of data easily to cloud-based storage will give attackers rich new targets to breach.
Page 9 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] 3. IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack 4. Attackers will increasingly Capture Data in Transit In 2019 and beyond, we can expect increasing attempts to gain access to home routers and other IoT hubs to capture some of the data passing through them. Malware inserted into such a router could, for example, steal banking credentials, capture credit card numbers, or display spoofed, malicious web pages to the user to compromise confidential information. 5. The Supply Chain will Become (more than it already has) an Attack Target An increasingly common target of attackers is the software supply chain, with attackers implanting malware into otherwise legitimate software packages at its usual distribution location. Such attacks could occur during production at the software vendor or at a third-party supplier. The typical attack scenario involves the attacker replacing a legitimate software update with a malicious version in order to distribute it quickly and surreptitiously to intended targets. Any user receiving the software update will automatically have their computer infected, giving the attacker a foothold in their environment. These types of attacks are increasing in volume and sophistication and we could see attempts to infect the hardware supply chain in the future. For example, an attacker could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS before such components are shipped out to millions of computers. Such threats would be very difficult to remove, likely persisting even after an impacted computer is rebooted or the hard disk is reformatted. 6. Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory Activity The European Union’s mid-2018 implementation of the General Data Protection Regulation (GDPR) will likely prove to be just a precursor to various security and privacy initiatives in countries outside the European Union. Canada has already enforced GDPR- like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020. Singapore and India are consulting to adopt breach notification regimes, while Australia has already adopted different notification timelines compared to GDPR. Multiple other countries across the globe have adequacy or are negotiating GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law considered to be the toughest in the United States to date. We anticipate the full impact of GDPR to become clearer across the globe during the coming year. At the U.S. federal level, Congress is already wading deeper into security and privacy waters. Such legislation is likely to gain more traction and may materialize in the coming year.
Page 10 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] Inevitably, there will be a continued and increased focus on election system security as the U.S. 2020 presidential campaign gets underway. While we’re almost certain to see upticks in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful. For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others. How Can Regulators Narrow the Gap? Rather than concede defeat, Regulators can do more to stay abreast of the challenges presented by emerging technologies if they were to: 1. Develop and deploy permanent monitoring procedures and tools, the purpose of which will be to monitor the development of the digital ecosystem by surveying the various actors and interactions, and to assess the effects of these transformations on cyber security. 2. Align the regulatory regimes applicable to the various infrastructures, applications and content with the resources and strategies implemented by a growing number of government actors, as well as their private partners, in order to quickly detect emerging digital risks and limit their impact on a constantly evolving ecosystem. 3. Initiate an in-depth consultation and reflection exercise to formulate proposals on how to restructure existing government institutions or create new ones to adapt the government’s intervention and coordination abilities to the new needs. 4. Intensify empirical research on the transformations of risks, standards and practices associated with privacy protection in the digital ecosystem. 5. Accentuate coordination and knowledge-transfer initiatives of national and state authorities in order to accelerate and standardize the development of local capabilities. This will require a near complete collaboration of efforts at the local; national and international levels. One recognized and recommended approach is for the Federal Government to establish a single Agency with a consolidating charter and authority to drive advancements in cybersecurity. To succeed, it should be that the national cybersecurity agency has appropriate statutory powers: Currently, most national cybersecurity agencies are established not by statute but by the delegation of existing powers by other parts of government. We anticipate that this approach will need to change with the passage of comprehensive cybersecurity laws. The
Page 11 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] delegation of existing powers, which may be subject to multiple underlying regulations, may not be sufficient to provide the national cybersecurity agency with all of the powers it requires to effectively carry out its new functions. Currently, the Department of Justice has both the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). The Department of Homeland Security and the Office of the Director of National Intelligence (DNI) apply themselves to the Cyber Threat Intelligence Integration Center. Meanwhile, the Federal Trade Commission (FTC), the Secret Service and the National Institute of Standards and Technology (NIST) make occasional joint efforts to bolster the nation’s cybersecurity readiness. In February 2018, the Department of Energy (DOE) announced the establishment of the Office of Cybersecurity, Energy Security and Emergency Response (CESER). The DOE’s program intends to target energy infrastructure in the country. COMPLIANCE as a Leader and Not Simply a Monitor Cyber security risk usually extends to all business units, operational units, employees and key third parties. That is why the compliance function is growing as a critical role. Whenever organizations need to do something on an ongoing and systematic way, where people are to be held accountable, Compliance is front and center. Here are five ways Compliance can play a pivotal role in a cross-functional approach to cyber security. 1. Own or Implement a Cyber Risk Assessment Compliance regularly operates in the world of risk assessments and understands how to identify an organization’s greatest risk by developing a comprehensive risk profile. With a full understanding of a company’s risks and threats, Compliance can guide an organization’s approach and control environment to effectively manage and mitigate risks while at the same time deploying scarce resources toward the most significant among them. 2. Embed Regulatory Requirements into Business Operations As with other enterprise-wide risks, cyber security is a regulatory compliance challenge for an increasing number of companies. As mentioned above, there is a growing number of fairly nuanced regulations addressing cyber security that apply to private and public sectors, specific industries, and specific data sensitivities. The compliance function has the competence to design and implement policies, procedures and controls that meet these requirements.
Page 12 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] 3. Connect the Functional Dots Across the Organization Cyber security is an enterprise-wide risk and requires a cross-functional approach for management. Compliance is skilled in building a systematic approach across an enterprise. It has the regular contact and seniority to engage effectively with the C-suite, Legal, HR and other functional and operational teams. Compliance can connect the dots across an organization. 4. Address the “People & Processes” of Cyber Security Cyber security involves an integrated approach to “people, processes and technology.” The compliance function has deep insights into how to engage broadly with employees and how to collect and analyze data through the monitoring and audit processes needed to manage risks. This proficiency in influencing employee behavior and organizational culture are necessary skills needed to complement the protection efforts deployed by the technology function. 5. Developing & Tracking Program KPIs As another aspect of monitoring, Compliance has expertise in developing key performance indicators (KPIs) and specific metrics to track progress and ROI, as well as developing a rhythm for board reporting, and reporting externally, as appropriate. Consistent application of KPIs will help cyber security programs mature over time with a cadence toward continuous improvement. Being on a trajectory of maturing practices not only builds stronger resilience but also demonstrates to customers, partners and regulators, as needed, a commitment to risk management, compliance and best practices. Now, more than ever, Compliance must play an integral part in any organization’s cross- functional cyber security program to make sure such efforts are enterprise-wide, consistent with regulatory requirements and embedded in how the company operates and its people conduct their work. As with other compliance issues, organizations will need to be in a position to tell their story of continuous improvement through KPIs, metrics and demonstration of using best practices. CONCLUSION There are cries to regulate the disruptive tech giants to include Google, Amazon, Twitter and Facebook. Not only are their business models being scrutinized but the pervasiveness of their emerging connected environments (auto driving vehicles; artificial intelligence; Internet of Things; telecommunications and more!) challenges the idea of effective self-regulation. Not to make a political statement but, in this next two years under an administration bent on Deregulation (as we have seen with many consumer protection laws; environmental and financial services regulation) and with partisan divisions, we are less likely to see any major
Page 13 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] sweeping national regulations get through Congress. This will mean that the individual States (as we are seeing with California, New York and Maryland) will drive more regulating strategies. Final thoughts Perhaps redundantly, it has to be stressed that cybersecurity should not and cannot be driven by regulation. Regulatory relief comes too late. The drivers of innovation and inventiveness come from business drivers and the strong desire to “be first!” in a competitive society. References Cyber Laws and Trends: How the Internet Just Became a Crime Scene, By Steve Surfaro, PSWG, Security Industry Association, April 30, 2018 Cybersecurity Futures: How Can We Regulate Emergent Risks? Benoit Dupont, July 2013 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Issued on: May 11, 2017 2018 Study on INFRASTRUCTURE & TECHNOLOGY Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018 Risk Management Solutions, Inc. March 2018 CYBER RISK OUTLOOK 2018 Top 18 Prediction Security Predictions for 2018, BY DAN LOHRMANN / JANUARY 4, 2018 DUFF & PHELPS, GLOBAL REGULATORY OUTLOOK, 2018, MAY 8, 2018 2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards, June 5, 2018 — by Carl Herberger Appknox, “A Glance at the United States Cyber Security Laws,” Accenture Security, 2017 Cyber Threatscape Report: Midyear Cybersecurity Risk Review- Forecast and Remediations. Accenture Security 2017

Empfohlen

Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challengingJoe Orlando
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
NIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsNIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsUnanet
 
Cybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideCybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideBenjamin Tugendstein
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive OrderBooz Allen Hamilton
 

Empfohlen

Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challengingJoe Orlando
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
NIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsNIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsUnanet
 
Cybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideCybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideBenjamin Tugendstein
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive OrderBooz Allen Hamilton
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsZuckerman Law Whistleblower Protection Law Firm
 
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Terrance Tong
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? N-iX
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security UpdateGuardEra Access Solutions, Inc.
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover StoryPatrick Spencer
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? Abraham Vergis
 

Weitere ähnliche Inhalte

Was ist angesagt?

Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Terrance Tong
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? N-iX
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 

Was ist angesagt? (20)

Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 
Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing?
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security Update
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 

Ähnlich wie Forecast cybersecurity regulation v3

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? Abraham Vergis
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agendanationalconsumersleague
 
Project 2020 Scenarios for the Future of.docx
Project 2020 Scenarios for the Future of.docxProject 2020 Scenarios for the Future of.docx
Project 2020 Scenarios for the Future of.docxbriancrawford30935
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERYashiVaidya
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]Lucy Kitchin
 
ALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
ALERT: Health Care Cybersecurity Reform and Regulations on the HorizonALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
ALERT: Health Care Cybersecurity Reform and Regulations on the HorizonPatton Boggs LLP
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationrrepko
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
 

Ähnlich wie Forecast cybersecurity regulation v3 (20)

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore?
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
Cyber law and cyber-crime
Cyber law and cyber-crimeCyber law and cyber-crime
Cyber law and cyber-crime
 
Cyber-Law and Cyber-Crime
Cyber-Law and Cyber-CrimeCyber-Law and Cyber-Crime
Cyber-Law and Cyber-Crime
 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure Sector
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agenda
 
Project 2020 Scenarios for the Future of.docx
Project 2020 Scenarios for the Future of.docxProject 2020 Scenarios for the Future of.docx
Project 2020 Scenarios for the Future of.docx
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Cybersecurity & data privacy whistleblower incentives and protections
Cybersecurity & data privacy whistleblower incentives and protectionsCybersecurity & data privacy whistleblower incentives and protections
Cybersecurity & data privacy whistleblower incentives and protections
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecial
 
ALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
ALERT: Health Care Cybersecurity Reform and Regulations on the HorizonALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
ALERT: Health Care Cybersecurity Reform and Regulations on the Horizon
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperation
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
 

Mehr von Joe Orlando

Creating brand advocates
Creating brand advocatesCreating brand advocates
Creating brand advocatesJoe Orlando
 
Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]Joe Orlando
 
Digital marketing solutions summary
Digital marketing solutions summaryDigital marketing solutions summary
Digital marketing solutions summaryJoe Orlando
 
Products dont sell themselves excerpt
Products dont sell themselves excerptProducts dont sell themselves excerpt
Products dont sell themselves excerptJoe Orlando
 
Ignore customers at your own peril
Ignore customers at your own perilIgnore customers at your own peril
Ignore customers at your own perilJoe Orlando
 
3rd party considerations gdpr
3rd party considerations gdpr3rd party considerations gdpr
3rd party considerations gdprJoe Orlando
 
General Data Protection Regulation kick off
General Data Protection Regulation kick offGeneral Data Protection Regulation kick off
General Data Protection Regulation kick offJoe Orlando
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summaryJoe Orlando
 
3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy Laws3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy LawsJoe Orlando
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistJoe Orlando
 
How can we innovate?
How can we innovate?How can we innovate?
How can we innovate?Joe Orlando
 
Creating value by getting rid of it
Creating value by getting rid of itCreating value by getting rid of it
Creating value by getting rid of itJoe Orlando
 
Creating Brand Advocates
Creating Brand AdvocatesCreating Brand Advocates
Creating Brand AdvocatesJoe Orlando
 

Mehr von Joe Orlando (13)

Creating brand advocates
Creating brand advocatesCreating brand advocates
Creating brand advocates
 
Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]
 
Digital marketing solutions summary
Digital marketing solutions summaryDigital marketing solutions summary
Digital marketing solutions summary
 
Products dont sell themselves excerpt
Products dont sell themselves excerptProducts dont sell themselves excerpt
Products dont sell themselves excerpt
 
Ignore customers at your own peril
Ignore customers at your own perilIgnore customers at your own peril
Ignore customers at your own peril
 
3rd party considerations gdpr
3rd party considerations gdpr3rd party considerations gdpr
3rd party considerations gdpr
 
General Data Protection Regulation kick off
General Data Protection Regulation kick offGeneral Data Protection Regulation kick off
General Data Protection Regulation kick off
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summary
 
3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy Laws3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy Laws
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - Checklist
 
How can we innovate?
How can we innovate?How can we innovate?
How can we innovate?
 
Creating value by getting rid of it
Creating value by getting rid of itCreating value by getting rid of it
Creating value by getting rid of it
 
Creating Brand Advocates
Creating Brand AdvocatesCreating Brand Advocates
Creating Brand Advocates
 

Kürzlich hochgeladen

internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamraAllTops
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownSandaliGurusinghe2
 
Information Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxInformation Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxssuserf63bd7
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxssuserf63bd7
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalWilliam (Bill) H. Bender, FCSI
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNitya salvi
 
Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.aruny7087
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdfArtiSrivastava23
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxAaron Stannard
 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siligurimeghakumariji156
 

Kürzlich hochgeladen (14)

internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
Information Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxInformation Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docx
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
 

Forecast cybersecurity regulation v3

  • 1. Summary Due to the volatility, force and pace with which technological innovation is moving through the global economy, cyber risk has become the biggest contemporary threat to all actors, especially private enterprise. Taking a regulatory perspective must be a key part of any overall successful strategy. However, as regulations are growing increasingly complex, doing the minimum in compliance is not enough anymore. It is evident, more and more, governments and customers will view a provider’s security posture less from a compliance perspective and more as a competitive differentiator. A provider of products and services will have to consider compliance simply as the ante to earn the right to compete in the marketplace. Drivers for regulations are most abundant in Financial Services; Healthcare; Telecommunications; Critical Infrastructure and Government systems. Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection standards hasn't gained traction, but it's not for lack of an effort. A search for "cyber security" yields 141 pieces of legislation — including bills and amendments — that have gone before the 115th Congress with those words in the title or body and cover a variety of areas. Given the current focus of the Administration to “deregulate” and a partisan Congress, it is less likely that sweeping national new regulation will be realized over the next two years. This means that the States (like what we are seeing from California, Maryland and New York) will be driving a great deal of the regulatory changes. It is more than fair to say that regulation alone does not make any system more secure. Coming to terms on consistent metrics will be key. One cannot manage what one cannot measure. The Challenge in Cybersecurity Regulation Cybersecurity is a fast-morphing mix of adapting new behaviors in people to new ways of doing things and with even newer technologies. This means that making any assumptions about what regulations will be needed six days; six weeks; and six months from now is more than
  • 2. Page 2 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] problematic. Most legislation is initiated well after the fact and driven by a wave of litigation and special interest lobbying. Meaningful cyberwarfare requires a more expeditious approach. To regulate something, you must know all the players; the expected and desired actions of each of the players and the mutually agreed upon desired outcome. To leverage the sports metaphor, we know the right number of players in the game; their positions relative to one another and what it means to score a point. In the cyber world, we can’t know all the players; we cannot predict “how” they will arrive to play; whether they come to “score points” or to simply disrupt the game; and the rules, as outlined, are merely guideposts for what to avoid. And, currently, only one team plays offense and the other defense, throughout the competition. This game never ends. In order for citizens, governments, and industries to be able to begin to effectively regulate cybersecurity, we must find a common definition of terms; a comprehensive series of meaningful metrics; a consensus on approach; a consistent application across geographies; a constructive incentive scheme and a crushing global deterrent. The current internet infrastructure and regulatory frameworks are poorly tailored to keep pace with the evolution of the internet and the digital realm in general. A very significant number of NIST publications are in the process of being revised, rewritten and/or retired based on the introduction of new technologies and the obsolescence of others…and most of these publications were mostly written since in this millennia. NIST Special Publication 800-53 Rev. 1 was published in 2008. Therefore, a majority severely lag behind present technology and threat level awareness. This is because the internet infrastructure was not designed to cope with present data quantities and the myriad of actors challenging the very scope and content of it. Cyber security legislation and compliance – if come into force – is ever-shifting. Consequently, it is crucially important that companies anticipate tomorrow‘s regulatory environment. In particular, when they are active in multiple jurisdictions, it is fundamental to systematically track evolving laws and regulations in order to be able to respond to legal and political challenges on time.
  • 3. Page 3 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] Which Laws Kick Started Cyber Regulations? There are three main federal cybersecurity regulations 1996 Health Insurance Portability and Accountability Act (HIPAA) 1999 Gramm-Leach-Bliley Act 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA) These three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information. However, these rules are not foolproof in securing the data and require only a “reasonable” level of security. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”. But, these regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, the vague language of these regulations leaves much room for interpretation. More Recent Federal Cybersecurity Laws In a recent effort to strengthen its cyber security laws, the federal government is introducing several new cyber security laws as well as amending the older ones for a better security ecosystem. Amendments and expansion of these existing laws could happen well before any new regulation is passed. Below are a few of them: Cybersecurity Information Sharing Act (CISA): Its objective is to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015 Cybersecurity Enhancement Act of 2014: It was signed into law December 18, 2014. It provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
  • 4. Page 4 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] Federal Exchange Data Breach Notification Act of 2015: This bill requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach. National Cybersecurity Protection Advancement Act of 2015: This law amends the Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives. There have been very recent moves to create centers for cybersecurity expertise and focus driven out of the DHS. Reiterating that most regulation is as a result of a great deal of litigation and well documented history cyber security losses, sustainable regulation has to be driven by collaborative efforts on both sides of the aisle in Congress. In the current session of Congress, over 141 pieces of cyber related legislation has been introduced. Working against rapid adoption of many of these efforts are aggressive efforts by the current Administration to deregulate; lobbying for industries resisting regulation; partisan politics; lack of consistent interpretation of terms, outcomes, approaches, metrics and enforcement entities; jurisdictional conflicts; geographic dispersion; and the absence of a genuine economic incentive. Note: To explore the Acts (and Amendments) in Congress in this session regarding Cybersecurity: https://www.congress.gov/search?q=%7B%22congress%22%3A%22115%22%2C%22source%22%3A%22 legislation%22%2C%22search%22%3A%22cybersecurity%22%7D&searchResultViewType=expanded In the Absence of Federal Laws We Will See More from State Laws State governments also have taken sincere measures to improve cyber security by increasing public visibility of firms with weak security. Cybersecurity Laws of California In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach, must disclose the details of the event. The security breach regulation regulations punish firms for their cyber security failures while giving them the freedom to choose how to secure their systems.
  • 5. Page 5 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] This regulation creates an incentive for companies to proactively invest in cyber security to avoid potential loss of reputation and economic loss. This worked well for California and later several other states have implemented a similar security breach notification regulations. Cyber Security Laws of New York The financial services industry is a significant target of cyber security threats. Over the past few years, the New York State Department of Financial Services (“DFS”) has been closely monitoring the ever growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cyber security programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The New York Cyber Security regulation has been effective since March 1, 2017. Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations commencing February 15, 2018. More State Regulations to Come Cybersecurity continues to be a concern for government and the private sector. It has enormous implications for government security, economic prosperity and public safety. States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more. At least 35 states, D.C. and Puerto Rico introduced/considered more than 265 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include: • Improving government security practices. • Providing funding for cybersecurity programs and initiatives. • Restricting public disclosure of sensitive government cybersecurity information. • Promoting workforce, training, economic development.
  • 6. Page 6 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] At least 22 states have enacted 52 bills so far in 2018. Every day, more regions introduce new privacy and data protection bills on their way to become law. http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity- legislation-2018.aspx A Glimpse into a Globalized Regulatory Future Nothing in recent history has had a global impact on industry as much as the General Data Protection Regulation (GDPR). The expected departure of the UK from the EU (Brexit) will most certainly be a catalyst for additional regulation. By mid-2019, forced compliance of the NIS Directive by the EU member states will take place. Therefore it is important to know if our business is effected by the NIS, what it requires us to do, and what this might mean in the years to come. https://www.ncsc.gov.uk/guidance/introduction-nis-directive The premise behind the NIS Directive is a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare. The technical requirements for the NIS Directive are limited. In order to enforce compliance with local regulation, a government must designate Competent Authority's (CAs) having the power to judge whether operators of critical infrastructure are complying with the regulation. CAs are part of existing government agencies, although their structure can be different in each country. For example, in the UK there is a CA for each sector such as railroads and energy, where the Germans rely on a single CA which is the BSI (Bundesamt für Sicherheit in der Informationstechnologie). Since the implementation of the NIS in local regulation is very recent, it still has to be shown how these CA’s will adopt their new responsibilities. A Small Sample New Global Requirements Cyber standards are being raised throughout Europe and Asia as well, with national governments encouraging tighter security measures when working with the private sector. European Union: The new Network and Information Security (NIS) Directive calls for additional security protocols specific to government agencies when utilizing digital service providers and considers extending these measures to contractors and suppliers United Kingdom: In order to qualify for government awards, private sector government contractors must comply with the Cyber Essentials Scheme, involving protection of citizens’ personal information or government data classified at the “Official” level and above. From 1 October 2014, Government requires all suppliers bidding for contracts
  • 7. Page 7 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme (base cost of about £300) https://www.cyberessentials.ncsc.gov.uk Australia: Government contractors and suppliers must comply with Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements; the Department of Finance requires suppliers to include data protection plans using industry accepted standards with their proposals/contracts and are required to report breaches. Australia’s Notifiable Data Breaches scheme The NDB scheme applies from 22 February 2018 to all agencies and organizations with existing personal information security obligations under the Privacy Act. It was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The scheme includes an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches. Who must comply with the NDB SCHEME? The NDB scheme applies to agencies and organizations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organizations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among other Breach Notification Form: https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC- NDB Japan: Contractors are required to abide by security policies aligned with government procurement guidelines. To Anticipate What Will Need Regulating Regulations become dated the moment they are placed into effect. Trying to anticipate where regulation will be needed can be driven by what trends in technologies we can forecast.
  • 8. Page 8 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] These trends bring together technologies with the potential to initiate lasting transformation in the digital ecosystem, which we define as all of the infrastructure, software applications, content, and the social practices that determine how the ecosystem is used. The largest trends are as follows: 1. Cloud computing 2. Big data 3. The Internet of things 4. Mobile Internet 5. Brain-computer interfaces 6. Near-field communication (NFC) payments 7. Mobile robots 8. Quantum computing 9. Internet militarization/weaponization 10. Blockchain and open journaling technologies 11. Crypto Currencies A Consensus on Predictions that will Impact Cybersecurity 1. While Governments and Private Enterprise Slowly invest In Artificial Intelligence to support Cyber security, Attackers will aggressively invest in AI to aid in their attacks. 2. Growing 5G Deployment will open up a new dimension in cyber-attack surfaces A number of 5G network infrastructure deployments kicked off this year, and 2019 is shaping up to be a year of accelerating 5G activity. While it will take time for 5G networks and 5G-capable phones and other devices to become broadly deployed, growth will occur rapidly. IDG, for example, calls 2019 “a seminal year” on the 5G front, and predicts that the market for 5G and 5G-related network infrastructure will grow from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound annual growth rate of 118 percent. Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For home users, it will also make it more difficult to monitor all IoT devices since they bypass a central router. More broadly, the ability to back-up or transmit massive volumes of data easily to cloud-based storage will give attackers rich new targets to breach.
  • 9. Page 9 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] 3. IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack 4. Attackers will increasingly Capture Data in Transit In 2019 and beyond, we can expect increasing attempts to gain access to home routers and other IoT hubs to capture some of the data passing through them. Malware inserted into such a router could, for example, steal banking credentials, capture credit card numbers, or display spoofed, malicious web pages to the user to compromise confidential information. 5. The Supply Chain will Become (more than it already has) an Attack Target An increasingly common target of attackers is the software supply chain, with attackers implanting malware into otherwise legitimate software packages at its usual distribution location. Such attacks could occur during production at the software vendor or at a third-party supplier. The typical attack scenario involves the attacker replacing a legitimate software update with a malicious version in order to distribute it quickly and surreptitiously to intended targets. Any user receiving the software update will automatically have their computer infected, giving the attacker a foothold in their environment. These types of attacks are increasing in volume and sophistication and we could see attempts to infect the hardware supply chain in the future. For example, an attacker could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS before such components are shipped out to millions of computers. Such threats would be very difficult to remove, likely persisting even after an impacted computer is rebooted or the hard disk is reformatted. 6. Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory Activity The European Union’s mid-2018 implementation of the General Data Protection Regulation (GDPR) will likely prove to be just a precursor to various security and privacy initiatives in countries outside the European Union. Canada has already enforced GDPR- like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020. Singapore and India are consulting to adopt breach notification regimes, while Australia has already adopted different notification timelines compared to GDPR. Multiple other countries across the globe have adequacy or are negotiating GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law considered to be the toughest in the United States to date. We anticipate the full impact of GDPR to become clearer across the globe during the coming year. At the U.S. federal level, Congress is already wading deeper into security and privacy waters. Such legislation is likely to gain more traction and may materialize in the coming year.
  • 10. Page 10 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] Inevitably, there will be a continued and increased focus on election system security as the U.S. 2020 presidential campaign gets underway. While we’re almost certain to see upticks in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful. For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others. How Can Regulators Narrow the Gap? Rather than concede defeat, Regulators can do more to stay abreast of the challenges presented by emerging technologies if they were to: 1. Develop and deploy permanent monitoring procedures and tools, the purpose of which will be to monitor the development of the digital ecosystem by surveying the various actors and interactions, and to assess the effects of these transformations on cyber security. 2. Align the regulatory regimes applicable to the various infrastructures, applications and content with the resources and strategies implemented by a growing number of government actors, as well as their private partners, in order to quickly detect emerging digital risks and limit their impact on a constantly evolving ecosystem. 3. Initiate an in-depth consultation and reflection exercise to formulate proposals on how to restructure existing government institutions or create new ones to adapt the government’s intervention and coordination abilities to the new needs. 4. Intensify empirical research on the transformations of risks, standards and practices associated with privacy protection in the digital ecosystem. 5. Accentuate coordination and knowledge-transfer initiatives of national and state authorities in order to accelerate and standardize the development of local capabilities. This will require a near complete collaboration of efforts at the local; national and international levels. One recognized and recommended approach is for the Federal Government to establish a single Agency with a consolidating charter and authority to drive advancements in cybersecurity. To succeed, it should be that the national cybersecurity agency has appropriate statutory powers: Currently, most national cybersecurity agencies are established not by statute but by the delegation of existing powers by other parts of government. We anticipate that this approach will need to change with the passage of comprehensive cybersecurity laws. The
  • 11. Page 11 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] delegation of existing powers, which may be subject to multiple underlying regulations, may not be sufficient to provide the national cybersecurity agency with all of the powers it requires to effectively carry out its new functions. Currently, the Department of Justice has both the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). The Department of Homeland Security and the Office of the Director of National Intelligence (DNI) apply themselves to the Cyber Threat Intelligence Integration Center. Meanwhile, the Federal Trade Commission (FTC), the Secret Service and the National Institute of Standards and Technology (NIST) make occasional joint efforts to bolster the nation’s cybersecurity readiness. In February 2018, the Department of Energy (DOE) announced the establishment of the Office of Cybersecurity, Energy Security and Emergency Response (CESER). The DOE’s program intends to target energy infrastructure in the country. COMPLIANCE as a Leader and Not Simply a Monitor Cyber security risk usually extends to all business units, operational units, employees and key third parties. That is why the compliance function is growing as a critical role. Whenever organizations need to do something on an ongoing and systematic way, where people are to be held accountable, Compliance is front and center. Here are five ways Compliance can play a pivotal role in a cross-functional approach to cyber security. 1. Own or Implement a Cyber Risk Assessment Compliance regularly operates in the world of risk assessments and understands how to identify an organization’s greatest risk by developing a comprehensive risk profile. With a full understanding of a company’s risks and threats, Compliance can guide an organization’s approach and control environment to effectively manage and mitigate risks while at the same time deploying scarce resources toward the most significant among them. 2. Embed Regulatory Requirements into Business Operations As with other enterprise-wide risks, cyber security is a regulatory compliance challenge for an increasing number of companies. As mentioned above, there is a growing number of fairly nuanced regulations addressing cyber security that apply to private and public sectors, specific industries, and specific data sensitivities. The compliance function has the competence to design and implement policies, procedures and controls that meet these requirements.
  • 12. Page 12 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] 3. Connect the Functional Dots Across the Organization Cyber security is an enterprise-wide risk and requires a cross-functional approach for management. Compliance is skilled in building a systematic approach across an enterprise. It has the regular contact and seniority to engage effectively with the C-suite, Legal, HR and other functional and operational teams. Compliance can connect the dots across an organization. 4. Address the “People & Processes” of Cyber Security Cyber security involves an integrated approach to “people, processes and technology.” The compliance function has deep insights into how to engage broadly with employees and how to collect and analyze data through the monitoring and audit processes needed to manage risks. This proficiency in influencing employee behavior and organizational culture are necessary skills needed to complement the protection efforts deployed by the technology function. 5. Developing & Tracking Program KPIs As another aspect of monitoring, Compliance has expertise in developing key performance indicators (KPIs) and specific metrics to track progress and ROI, as well as developing a rhythm for board reporting, and reporting externally, as appropriate. Consistent application of KPIs will help cyber security programs mature over time with a cadence toward continuous improvement. Being on a trajectory of maturing practices not only builds stronger resilience but also demonstrates to customers, partners and regulators, as needed, a commitment to risk management, compliance and best practices. Now, more than ever, Compliance must play an integral part in any organization’s cross- functional cyber security program to make sure such efforts are enterprise-wide, consistent with regulatory requirements and embedded in how the company operates and its people conduct their work. As with other compliance issues, organizations will need to be in a position to tell their story of continuous improvement through KPIs, metrics and demonstration of using best practices. CONCLUSION There are cries to regulate the disruptive tech giants to include Google, Amazon, Twitter and Facebook. Not only are their business models being scrutinized but the pervasiveness of their emerging connected environments (auto driving vehicles; artificial intelligence; Internet of Things; telecommunications and more!) challenges the idea of effective self-regulation. Not to make a political statement but, in this next two years under an administration bent on Deregulation (as we have seen with many consumer protection laws; environmental and financial services regulation) and with partisan divisions, we are less likely to see any major
  • 13. Page 13 CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US] sweeping national regulations get through Congress. This will mean that the individual States (as we are seeing with California, New York and Maryland) will drive more regulating strategies. Final thoughts Perhaps redundantly, it has to be stressed that cybersecurity should not and cannot be driven by regulation. Regulatory relief comes too late. The drivers of innovation and inventiveness come from business drivers and the strong desire to “be first!” in a competitive society. References Cyber Laws and Trends: How the Internet Just Became a Crime Scene, By Steve Surfaro, PSWG, Security Industry Association, April 30, 2018 Cybersecurity Futures: How Can We Regulate Emergent Risks? Benoit Dupont, July 2013 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Issued on: May 11, 2017 2018 Study on INFRASTRUCTURE & TECHNOLOGY Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018 Risk Management Solutions, Inc. March 2018 CYBER RISK OUTLOOK 2018 Top 18 Prediction Security Predictions for 2018, BY DAN LOHRMANN / JANUARY 4, 2018 DUFF & PHELPS, GLOBAL REGULATORY OUTLOOK, 2018, MAY 8, 2018 2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards, June 5, 2018 — by Carl Herberger Appknox, “A Glance at the United States Cyber Security Laws,” Accenture Security, 2017 Cyber Threatscape Report: Midyear Cybersecurity Risk Review- Forecast and Remediations. Accenture Security 2017