In order to prevent your organization from becoming the target of a cyber regulatory action, companies should: 1) have an established cyber security/governance framework with documented policies and procedures, 2) incorporate periodic assessments through white hat stress tests to evaluate the efficiency of implemented controls, and 3) establish and monitor metrics in order to gauge the efficiency of adopted security controls. Most importantly, these policies and procedures should include the following:
- Appointment of a qualified chief officer to implement, oversee and manage the cyber security environment and documented policies.
- Implementation of basic security controls such as antivirus software, firewalls, SSL, access rights and multifactor authentication.
- Documented vendor qualifications to ensure all outside providers and 3rd party vendors have sufficient cyber controls in place.
- Compliant data collection policies & disclosures. These policies should clearly disclose the companies’ policies on the collection, acquisition, use and sharing of confidential information. All “opt-in”, and opt-out” policies should be accurate and adhered to, and any changes in those policies should be promptly and properly communicated.
- Secure document identification and management. This entails ensuring data is securely stored, properly encrypted, properly transmitted and adequately disposed of.
- Employee training. With a large percentage of breaches resulting from employee errors, sufficient training is becoming more important than ever, especially to protect the organization against phishing attacks and social engineering attacks which are becoming highly sophisticated in both their timing, execution and methods. Employee training should address, among other items: verification of email authenticity and wire instruction orders, password setting and security, identification of email phishing schemes and other suspicious activity.
- Maintaining proper backups and restoration procedures of both critical user data, and software, etc.
- Controlling and Monitoring Physical access: Ensuring employees are supervised when accessing secure areas and employing key card systems that maintain access logs. Organizations should also verify the identity of all outside 3rd party inspectors, maintenance workers, and IT professionals. For investment/financial firms and public companies, software should also be implemented to track suspicious behavior.
- User Management & Access: This includes implementing strong password policies, requiring password refreshes, reviewing access privaledges, requiring the installation of software updates and more.
- Formal, documented Incident response plans to ensure that all breaches are disclosed in a timely manner with proper action taken. Organizations should be familiar with the varying notification laws in the states/countries in which they operate. Remedial action should include making necessary improvements to your cyber security framework, improving policies and procedures, and updating hardware/software in order to prevent a future breach or violation.
Lastly, when all else fails, the last line of defense is a cyber insurance policy. The regulatory defense coverage clause maintained within many cyber policies, was initially born with the intent of providing coverage primarily for PII related breaches and the follow up PCI investigations and fines that followed as a result. Over time, however, that clause has been expanded significantly and has received a great level of grooming to make it appropriate for a greater range of regulatory actions, including those encountered by financial/service firms and public companies alike.
Sign up for CIO Asia eNewsletters.