This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
A lot has changed in the world of cyber regulation. September 2015 saw the widely reported SEC administrative proceeding against RT Jones for violating the “Safeguard Rule” in failing to establish and implement written cyber protection policies. Next was Morgan Stanley. And this past March the Consumer Financial Protection Bureau (CFPB) brought a pre-emptive action against a company that hadn’t even had a breach.
At this stage, it’s safe to assume the list of regulators and their security requirements will continue to grow and fines and penalties will become more severe. In fact, just last week the New York Department of Financial Services (DFS) proposed new cyber guidelines for financial institutions.
In order to protect themselves, organizations need to develop cyber frameworks and internal security environments that are living, breathing and constantly evolving, both to adequately protect against outside threats and in order to meet the increasing demands of regulators. They must also ensure their cyber insurance policies provide sufficient coverage for regulatory proceedings and associated penalties.
When controls fail and security incidents occur, it goes without saying that investigations and fines are close behind. A review of the FTC’s cyber enforcement actions, demonstrate that regulatory enforcement is not limited solely to Fortune 500 companies – there are many “smaller” companies included on that list. The most common causes of enforcement actions revolve around:
- Security failures, and failure to protect employee data: The most commonly referenced violations included: misleading statements and misrepresentations regarding the adequacy or extent of security measures taken, failure to properly secure data, security vulnerabilities related to mobile applications, failing to encrypt data and/or employ SSL, and failure to adopt written policies.
- Failure to abide by foreign and cross-border privacy rules: Cross Border and foreign cyber regulation appears to be a growing area of interest for the FTC. Since the FTC’s initial action against American Apparel in May of 2014, the agency immediately followed with enforcement against an additional 14 companies, with violations against another 15 companies a few months later. Most of those actions were for violations of the US-EU safe harbor rule.
Sign up for CIO Asia eNewsletters.