February 8, 2022
Good morning, everyone!
The latest critical vulnerabilities:
Patch All the Things!
Business Pressures & Regulatory Roundup
2021 brought us a lot of cyber crime, and consequently a lot of cyber regulations, or just tightening up on old ones, as well as increasing pressure on organizations of all sizes and industries to improve their cyber security posture. This week I’m going to take a look at some of the most noteworthy.
The Gramm-Leach-Bliley act (GLBA) received a major new update in December, with many new (and very specific) requirements that weren’t in the previous version. I’ve written a special edition newsletter on the subject.
Important Note: What exactly is a “financial institution” subject to GLBA? Included categories are investment advisors, accountants, tax preparers, real estate appraisers, mortgage brokers, and companies that regularly wire money or print/sell/cash checks to/from/for consumers, provide real estate settlement services, provide store credit for purchases, rent cars, and more. Anyone who falls into these categories needs to read this.
Federal Contractors and Suppliers
The Department of Defense released version 2.0 of its Cybersecurity Maturity Model Certification program in November, with some important changes. By aligning its model directly with NIST 800-171, the government-wide standard for protecting Controlled Unclassified Information (CUI), the CMMC is placing itself in position to become the cyber security standard for all federal government contractors. You can keep up with all things CMMC here.
The Department of Energy released a new draft version of its cybersecurity standard, Cybersecurity Capability Maturity Model (C2M2), last July. The new model addresses new technologies (cloud and mobile), evolving threats (ransomware!) and supply chain risk management.
The important thing to remember about government contract requirements is that they typically “flow down” to subcontractors. If you supply products or services to a government contractor, you may start getting questions about your own cybersecurity posture. Be prepared.
Although the PCI Data Security Standard itself hasn’t been updated since 2018, the merchant banks are putting a lot more pressure on retail merchants to improve their network security. I’ve heard reports of annual questionnaires that have ballooned from 50 questions to over 400. Many of the Point of Sale (POS) vendors have added increased security to their products, like Point to Point Encryption (P2PE), which in turn makes your PCI compliance much easier to achieve. If you haven’t updated your POS lately, talk to your vendor and see what options are available.
Cyber Liability Insurance for Everyone
Short story: it’s increasingly more expensive and more difficult to obtain. Ransomware in particular has caused insurors’ costs to skyrocket over the past two years. They are responding by increasing premiums and deductibles 73% in the last year and tightening up coverage:
Greater specificity over what is (and what is not) covered has become a feature of many updated policies, as has the expectation that companies need to have greater security hygiene in place in order to qualify for insurance. To increase the likelihood of getting coverage, companies will need to prioritize risk mitigation, which means adopting a readiness approach to increase resilience to a cyber attack.
Insurors are also taking a closer look at the security practices of organizations applying for cyber insurance and sometimes setting baselines:
Industry analysts predict that the old, lenient, everyone-can-afford-an-outlandish-policy era of insurance is probably nearing its end. In its place will likely be policies dependent on higher base security standards offering lower maximum payouts. [...] Several of a new breed of financial tech firms emphasizing data-driven security policies, including network monitoring software in their dealings and requiring things like patching, believe their model for insurance is sustainable.
Cyber liability insurance is not security. It’s a fallback to (hopefully) prevent bankruptcy if your actual security fails. Even if insurance covers the actual costs of paying a ransom and/or restoring your systems (which is becoming less likely), insurance will not repair your reputation nor your business relationships that are damaged when your systems are down for some period of time. And sometimes insurance companies refuse coverage for incidents that could have been prevented by basic cyber hygiene. Make certain that your answers to the questionnaires are an accurate representation of your actual security policies and practices.
Our general rule of thumb is this: Be as secure as you can be, as compliant as you can afford to be, and then buy cyber insurance to fill the gaps.
What does all of this mean for consumers? Well, hopefully it means decreased chances of your personal information being stolen from an information system over which you have no control. Do you ask your doctors, lawyers, accountants, etc. what measures they have in place to protect your information? Do you limit what information you give them? For example, did you know that you don’t have to provide your SSN to physicians’ offices? That’s not a HIPAA requirement; they want that info so they can run you down if you don’t pay your bills. I routinely decline to answer that question on new patient forms. Start paying attention to all the people and all the places you give out sensitive information, like DOB and SSN. If you don’t have to give it up, don’t do it!
And that's enough for this now I think. Have a great week, everyone!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺
TNE. Cybersecurity. Possible.Speak with an Expert