Are you tired of worrying about getting hacked, that your business is next? Are you sickened by the skyrocketing growth of the cybercrime industry? So is Big Insurance, and so is the government. And now they’re doing something about it that affects you.
Cybersecurity compliance is coming!
At a recent tradeshow, I heard how badly cybersecurity insurance has been getting crushed under claims. Just a few years ago, they were paying out roughly 30% of premiums in claims and admin costs (70% gross margin equivalent). In 2019 they paid out 74.5%. In 2021, it was over 95%.
If you were Big Insurance, what would you do? Your only short-term levers for change are to raise premiums, raise deductibles, lower limits, tighten application requirements, and deny or reduce claims. You’ll never guess what’s happening: Deductibles and premiums are increasing, applications are getting more stringent, and claims are being denied.
In 2022 Travelers went to an Illinois court to rescind a cybersecurity insurance policy from International Control Systems. ICS had attested on their application to having multifactor authentication (MFA) enabled across their network. In 2020 they were hit with ransomware and filed a claim. Travelers’ forensic investigation showed that MFA had not in fact been enabled at the time, so they’ve sued to get out of the policy, essentially saying, “So long, and thanks for all the premiums!”
What else would you do as the Monarch of Big Insurance? Why, you’d deploy your armada of lobbyists to convince lawmakers and regulators to help reduce your risk, offloading it upon the insured. On June 9, 2023, the Safeguards Rule of the Gramm Leach Bliley Act expands to include any business touching personal financial data, specifically requiring compliance from car dealers, mortgage brokers, CPAs, finance companies, and credit counselors, to name a few. Compliance is coming, but the things it requires are the things that you should be doing anyway.
Not that government needs much convincing to embrace compliance. It already touches nearly every aspect of our lives. The food you buy has been inspected and tracked for recall if contaminated. That’s compliance. Elevators, bridges, restaurants, and airplanes are all routinely inspected, which is logged, reported, and audited – compliance. Now these requirements are expanding, both by increased application to more industries and by increased enforcement.
So, what is cybersecurity compliance, compared to good old fashioned cybersecurity? Compliance is a process for documenting historical proof of action. Compliance lives in the past, whereas security is more concerned with the present and the future. However, the two are inextricably related. If you’re not doing the right security things today, then you obviously can’t document that fact for later when you need proof to defend an audit or fight a lawsuit.
Another handy way to compare security and compliance is “should do” versus “have to do.” In nearly all cases, the things that you have to do under a compliance requirement are the same things you should do to protect yourself anyway. Compliance just requires additional documentation which can be audited, with consequences for failure.
It’s like a healthy lifestyle versus military basic training. It’s good for you to get up at the same time every day. “Early to bed and early to rise makes a man healthy, wealthy, and wise,” as Benjamin Franklin said. But in the military, if you’re not ready to go by the anointed time, you get chewed out and punished. It’s a good habit to be tidy and keep your belongings organized, but in boot camp your personal space and belongings are inspected routinely. And again, there will be hell to pay if you don’t pass.
So, the good news is compliance is coming! And these compliance requirements tell you exactly what to do so you don’t have to guess. Well, kind of — they’re just a little vague, leaning on words like “adequate” and “appropriate.” Mostly, they define a process for documenting your research, testing, review, and improvement. Most, like HIPAA and the FTC Safeguards Rule, do not require perfection, simply honest assessment and progress. Nobody starts the process 100% compliant. But you must show reasonable year-over-year progress.
Most processes proscribed by the compliancy frameworks are similar. And, even if you do not fall under a compliance requirement (yet), it’s a REALLY good idea to follow these processes anyway. Doing so will help ensure that you really are doing the proper things. You’ll sleep better and will be better positioned for the future when you do fall under a compliance requirement or have a customer who does.
First you must identify where and how any protected data is captured, stored, transmitted, or accessed. And remember, the law applies to the protected data, not the system, or even the industry. Protected data can turn up in some unexpected places. For example, many medical offices unwittingly capture protected health information on their phone systems, because all calls are “recorded for quality assurance purposes.” Similarly, many attorneys have medical records for clients’ legal cases, not realizing that this alone makes them accountable under HIPAA.
Once you have identified your applicable data and all its locations, you need a written plan detailing how you will protect it. You’ll want to write this with the assistance of a professional if you don’t have one in-house. This security or compliance plan will be the living document that governs how cybersecurity is managed in your environment. Next, a person needs to be assigned ownership over the plan, as it will be their responsibility to assess, modify, implement, and enforce it.
Compliance is coming (or here already), but that’s a good thing. Healthcare today represents 30% of the U.S. economy. All medical entities and their vendors are already subject to HIPAA — our IT and cybersecurity business is, for instance, as we could conceivably access clients’ private health information. Having a compliance program in your business can insulate you from a LOT of risk, even if you aren’t legally required to follow one.
Having an appropriate, effective compliance program can decrease your risk across the board:
Cybersecurity risk: The security controls and policies required by compliance are designed to be an effective means of cybersecurity defense. Compliance simply demands proof of what you should already be doing. It takes a lot to protect a business from cybercrime these days. The “bad guys” — cybercriminal enterprises and nation-state threats like Russia, China, Iran, and North Korea — are incredibly well organized and funded. By following a compliance program, you are minimizing your chances of being put out of business by these professional criminals and spies, which is a GOOD THING.
Insurance risk: What sorts of cybersecurity requirements are being put into insurance applications and policies? Yep, the same ones being required by all the compliance frameworks. Soon, you won’t be able to get cyberinsurance at all without these things. Or worse yet, when you file a claim, their forensics will compare your true environment to what you represented on the application. This is why nearly 50% of claims are being denied or reduced. Monitoring your compliance program can uncover discrepancies, which would probably be the most likely source of a breach in the first place. As more and more industries fall under some sort of compliance, I predict that the cyberinsurance applications will become much shorter, possibly one checkbox: “Do you comply with all applicable laws pertaining to cybersecurity?”
Legal risk: Lawyers move faster than government, and class action lawsuits abound where there are compliance requirements, as it’s easy to demonstrate negligence. “Mr. Auto Dealer, isn’t it true that your decision to ignore the FTC’s Safeguards Rule led to the theft of all your customers’ private financial information, resulting in the theft of customers’ life savings?” Ignorance of the law is not a legal defense, and class action damages can dwarf fines from enforcement.
Enforcement risk: Laws requiring compliance have teeth, and the enforcement authorities tend to show up after the battle is over to bayonet the wounded. Enforcement actions are on the rise, particularly with HIPAA. The Department of Justice has started prosecuting HIPAA violations under whistleblower laws. If you receive money from Medicare or Medicaid, then you are attesting annually to HIPAA compliance. If you are not compliant, then DoJ considers all your reimbursements to have been fraud, and they can fine you up to FIVE YEARS’ worth. Furthermore, they will award an anonymous whistleblower – nurse, receptionist, patient, whomever – 20% of the fine. There’s so much money at stake that there are already law firms marketing to potential whistleblowers.
Compliance is GOOD!
Properly done, your compliance program can become a legal defense. In Oregon, there was a lab that got audited for HIPAA violations. A customer had ordered a sexually transmitted disease workup, not realizing that his mother-in-law worked there (awkward!!). She recognized the name and told her daughter, who confronted her husband, who subsequently pursued a HIPAA action against the lab. However, the lab got off with no fine or punitive action because they had followed their HIPAA compliance plan. The mother had been retrained on their privacy policies at the beginning of each year, and she’d attested to follow them. There was nothing the lab could have done to prevent her malfeasance, so there was no enforcement against them. I’m not sure that everyone lived happily ever after, though.
Cybersecurity and compliance are now some of the greatest risks you face in business, but how to combat them is not a mystery. Best practices for cybersecurity, while constantly evolving, are rather mature. Embrace your compliance, and work with professionals to manage your plan. And if you’re not subject to compliance (yet), pretend that you are. You’ll be better prepared than your competitors. Your business’ market value will increase. Insurance renewals will be easier and cheaper. And you’ll sleep better at night, knowing that you’re doing the right things.
Ron is Chief Cybertechnologist at SIP Oasis, an Alabama managed cybersecurity company. Ron’s passion is getting normal people to learn how to protect themselves from cybercrime, using humor and relatable stories, with zero techno-jargon — “EnterTraining.”