As the transition to a new Presidential administration unfolds, uncertainty abounds. Predictions made about the regulatory landscape made before November may not ring as true, as Republicans look to make good on promises about smaller government and regulatory reform, particularly in banking and finance. Likewise, the potential repeal of the Affordable Care Act and significant changes to Medicare will make waves in health care regulation. In times characterized by dramatic change and unpredictability, it’s important to refocus on what you know, what you can control and how you can create a more resilient business.
It’s important not to lose perspective: while many federal agencies (and their mandates) will be reshaped by new leadership or directed to change their priorities, state and industry regulations may not shift – or may react in opposition. Enterprise risk profiles and existing threat conditions may not be markedly affected by changes at the federal level. Organized cybercrime syndicates, for example, probably don’t care much about who’s in the White House.
Organizations that have been working to strengthen their cybersecurity stance, manage risk and protect customer data and privacy have no reason to pull back on those efforts; in fact, they should work to optimize their governance, risk and compliance programs as organized defense against threats to their goals and trusted status.
The following are some forward-looking statements that will help guide regulated enterprises through the transition and beyond.
Billions will be spent on cybersecurity by thousands of companies. Only a fraction of those companies will get the full value from their investments.
Governments, insurance agencies and consumers are turning up the pressure on those responsible for protecting data security and privacy. In response, organizations are spending more and more on cyber tools such as SIEMs, vulnerability scanners, penetration tests and threat feeds. Other companies are responding by building robust governance frameworks and ensuring their policies address risks, legal concerns, contractual obligations and best practices. Each element of cybersecurity is important and required for a successful cybersecurity program, but better integration among components will strengthen the enterprise.
The duplicative and separate efforts required to manage all the tools, feeds, workflows and other components of a cybersecurity program with manual processes in spreadsheets and email are often overlooked and lead to wasted resources and gaps in protection. This extra and unnecessary burden will slow down efforts, make reporting inefficient and ineffective and add unnecessary complications and delays that ultimately render security programs costlier and less secure. Centralizing and integrating security, compliance and risk management in a comprehensive governance, risk management and compliance (GRC) platform ensures a better return on investments of time, effort and money. It also brings greater visibility into the effectiveness of controls and processes across the enterprise. Advanced analytics, automation and streamlined reporting increase accountability and collaboration.
Governments will increasingly mandate stronger cyber risk management, beginning with regulated industries, but eventually reaching all types of businesses.
Cybercriminals are not going away. They will continue to hack into sensitive data of businesses, celebrities, politicians, financial institutions, health care organizations and more. If there is value in the data, the criminals will try to capture it and leverage it for financial gain, power plays or larger exploits. We have already seen rapid evolution in cybersecurity and data privacy regulations in industries such as health care and financial services. Regulators are somewhat removed from partisan politics and often set rules outside of federal legislative processes. We should expect more industry regulators to focus on cybersecurity initiatives.
States will also step into the void, pushing laws that require industries to protect their cyber assets and customers. This is likely to happen at an industry level first; many states have a handful of dominant industries to protect and oversee. We will see more states developing laws that are stronger or slightly different than federal regulations and laws, leading to extra compliance-related work and costs for organizations in those industries of focus. New York’s newly proposed cybersecurity requirements for financial services firms (23NYCRR Part 500), planned to take effect in January 2017, are a prime example. Integrating risk management processes is the best way to prepare for multiple, evolving layers of regulation.
Third-party risk management practices will extend to customers as vendors are fined more for violations related to the customers they support.
The continued effort to reduce risk will lead to greater focus on organizations’ customers and suppliers. As companies deepen their knowledge of operational and compliance risks, they will learn how suppliers and customers add to their risks. By now, everyone has heard the cautionary tale of the HVAC vendor that was partially responsible for the massive breach at Target. It makes sense that material suppliers can impact the overall quality of goods manufacturers make. Customers’ actions can likewise expose the organizations that supply them goods and services to various threats and vulnerabilities. For example, internet and cloud service providers may need to assess customers on their propensity to download illegal content and to enforce sanctions against customers that use the internet to perform illegal actions. As organizations get wiser about risk and how customers and vendors impact it, they will start taking specific protective and preventative measures: monitoring key performance indicators and key risk indicators and performing risk assessments of vendors and customers.
Instead of wasting energy speculating about the incoming administration’s next move, regulated enterprises should use the next several months to focus on cybersecurity best practices, review and assess risk profiles across the enterprise and improve compliance and policy management processes by integrating these efforts in a comprehensive GRC platform. Pay attention to the details of process and execution; commit to a higher degree of accountability and collaboration; and plan strategically for multiple scenarios. Optimized and streamlined governance, risk and compliance programs that are integrated across the enterprise will strengthen the business overall and build more agile response capabilities, key to success in periods of uncertainty.