The recent slate of breaches and regulatory actions has prompted many companies who had been doing the minimum in terms of proactive cyber risk management to rethink their approach. In the U.S., new regulations are emerging (for states like Virginia, Colorado, Massachusetts and many others), and existing regulators are increasing their enforcement, as we’ve seen by the NY Dept of Financial Services (NYDFS) and the SEC. Security professionals have been saying this for years, but financial institutions of all sizes need to take cyber security seriously or risk significant fines and reputational damage.
While organizations are still battling the headwinds of a challenging economy, a remote workforce slowly returning to the office, and a sharp increase in the number and sophistication of vulnerabilities and threats, regulators are increasing their focus on cyber risk issues. With a goal of protecting customer data, they ask questions on security and privacy with greater frequency and issue enforcement actions where both are found deficient.
In the last few months, for example, there have been several enforcement actions tied to NYDFS regulations. One of the most recent found a midsize insurance company failed to put in proper controls for their Microsoft 365 environment, including fundamentals like multi-factor authentication (MFA), and suffered a breach as a result. The issue was compounded because the entity had previously certified that they had all necessary controls in place, including MFA. The resulting a fine reached $1,800,000, even after the department noted "[C]ommendable cooperation throughout this investigation."
The Federal Trade Commission recently finalized a settlement with a company that provides travel emergency services, over having "[L]eft unsecured a cloud database containing 130,000 membership records." This misconfiguration put many people's health information at risk. As a result, the FTC has required the company to establish an information security program, have it assessed by a third-party assessor and certify the program and its fitness.
Security isn't the only focus of regulators; there has been a growing awareness of privacy issues. Regulations like GDPR in the EU and the California Consumer Privacy Act in the U.S. has given consumers specific rights over who does and does not have access to the information they share with businesses. There may be significant fines for non-compliance, as a web hosting company recently found in Germany. A fine of $1,000,000 was issued for failing to take "sufficient technical and organizational measures" to keep people from accessing customer information without the customer's consent.
Focus on Cyber Security Fundamentals
Regulators are working harder to make sure businesses do not let their guards down. In this threat environment, it is important to ensure you have the right people helping you build, maintain and scale your cyber security program. Our experts recommend a foundational approach covering cloud systems, detection and response, a data inventory and third-party cyber risk management.
Securing Cloud Services
One of the leading causes of a breach is not securely configuring your cloud environments. Microsoft 365, a popular and effective cloud-based software, requires specific fine tuning and configurations to reduce the likelihood of a breach. Our Kroll specialists can quickly review your organization’s Microsoft 365 configuration and draft recommendations for reducing risk. This is especially important for many organizations that have moved to the cloud rapidly due to the impact of the Coronavirus.
Detecting Ransomware Indicators Before Detonation
Ransomware continues to make headlines, with organizations across every sector facing the dilemma of choosing between replacing an entire network that has been encrypted by malicious hackers or paying their ransom, which commonly reaches millions of dollars. Businesses can reduce the risk of having to make this choice by investing in training for employees, ensure secure back-ups exist and testing their systems to patch for vulnerabilities. We’ve developed a dedicated ransomware preparedness assessment to help your organization avoid having to choose between "rip and replace" or paying an unknown actor millions in ransom.
Protecting Key Systems (and Knowing Where They Are)
Understanding what data you have and who has access to it is a foundational step for both security and privacy, but is a challenge for many organizations lacking the staff or expertise to perform. Our Kroll teams are highly experienced in both data governance and aligning programs for compliance. Further, there is an intrinsic benefit when you bring in an outsider to view how you track and manage data. Access and repositories that may have gone unnoticed can be seen and analyzed better from an outside perspective.
Improved Visibility Into Your Vendors’ Security
Finally, many breaches originate with a third party. Often this is someone who your organization shares protected data with, such as an outside counsel, a cloud services provider or an insurance company. A breach of a third party with whom you shared protected data is often considered the same as if the breach happened on your own network. To avoid this situation, it is important to assess your third parties, analyze their cyber security posture and issue remediation guidance. The Kroll CyberClarity360 platform is built to reduce third-party cyber risk exposure and has helped organizations confront regulations like GDPR and improve the efficiency of vendor management programs by 400%.
Cyber threats show no sign of slowing down and the impact of breaches, or the failure to prepare properly, are becoming more significant as regulators try to respond. Organizations should invest in improving their cyber risk posture, and Kroll stands ready to help them with our talented personnel, effective processes, and superior tools.