Cyber and information security is considered by some to be the biggest challenge organizations collectively face today. A recent study conducted by Juniper Research predicts the cost of data breaches to reach $2.1 trillion globally by 2019. These incidents – whether they are caused by criminals, foreign governments, or hacktivists – can be costly for organizations, distressing for consumers, and create the possibility of real systemic damage to whole industries; even nations. So, it’s hardly surprising that regulators and legislators around the world are moving into action.
In the wake of the profusion of attacks that have occurred across a range of organizations in 2016 and 2017, governments are stepping up, through a range of legislative and regulatory initiatives. These are aimed broadly at cyber risk, and in certain industries and jurisdictions, call out the fact that companies need to be managing these across third party relationships as well. The expectation is that the focus on cyber risk in third party relationships will only continue to expand. Overall, the five top trends in cyber security regulation – across organizations and their third parties – are:
- Focus on getting business continuity right – There is a recognition that no amount of prevention will result in 100% safety from either cyber or information security risks potentially erupting and causing business disruption. Regulators – with an eye firmly on potential systemic risks as well as the safety and soundness of individual financial services organizations, are focusing on business continuity and disaster recovery. In some jurisdictions, such as the US, regulators are looking to enhance standards with more robust testing, especially with third parties.
- New urgency to reporting cyber attacks – Regulators are either putting event reporting programs in place or beefing up the programs that they already had. An example is the UK’s FCA, which launched a new webpage in mid-May that consolidated all of the regulator’s pronouncements on cyber risk and explained event reporting procedures. The European Central Bank announced in June 2017 that EU banks will now have to register “major incidents” of cyber attacks with the body. Organizations will need to ensure they have tested protocols in place for identifying and reporting cyber attacks that involve their third parties.
- “Broken windows” approach to prevention – The UK’s FCA says that firms could eliminate up to 80% of the cyber risks that they face if they managed their IT infrastructure in a more effective way, conducting proper patch management and employee training. It advocates programs such as ‘Cyber Essentials’ or the ‘10 steps to cyber security’. This is similar to law enforcement approaches that improve crime rates by focusing on addressing low level issues. Organizations will be asked to show third parties are implementing or have programs to address these basics.
- Information security is a priority – The EU’s GDPR is the most obvious example of how governments and law enforcement are very keen to ensure companies protect their data. But there is no mistake – more regulation around information security is a global trend. Protocols and processes around information security will be fundamental to third party relationships that involve personal data.
- Cyber and information security are “risks” – Regulators – particularly in financial services – are publicly stating that cyber and information security issues should be part of an organization’s enterprise risk management program, with all of the governance and infrastructure that is entailed. For example, the US banking regulators are looking to embed cyber risk into organizations’ overall enterprise risk management framework.