Managing an Increasingly Risk-Averse Regulatory Environment
Risk management and mitigation is a high priority for CEOs and other senior executives worldwide — including CIOs and cybersecurity executives. The fact is, it’s impossible to separate risk from technology implementations and the potential cybersecurity vulnerabilities they present.
One of the biggest challenges of risk management, as it relates to IT, is the emergence of a growing number of government and industry regulations regarding data privacy and security. The difficulty of complying with all the regulations — particularly for heavily regulated organizations such as financial services firms, healthcare institutions and government agencies — is daunting.
Some of the regulations that address specific sectors have been in place for a number of years. For example, in financial services the Gramm–Leach–Bliley Act (GLBA) requires financial firms to protect customer data and disclose all of their data-sharing practices with customers.
In the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) requires the protection of sensitive patient health information from being disclosed without the patient’s consent or knowledge. Risk management and technology leaders in the industry have been grappling with HIPAA compliance since the law was enacted in 1996.
In the US federal government, agencies have to deal with the Federal Risk and Authorization Management Program (FedRAMP), a government-wide initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
And in retail and other sectors, companies need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), a cyber security standard for organizations that handle branded credit cards from the major card companies. The PCI Standard, mandated by the card brands and administered by the Payment Card Industry Security Standards Council, was created to increase controls around cardholder data to reduce credit card fraud.
More recently, the General Data Protection Regulation (GDPR) was enacted in the European Union (EU) in 2018 to protect the privacy of data about EU citizens. GDPR’s primary aim is to enhance individuals’ control and rights over their personal data. And the California Consumer Privacy Act (CCPA) was enacted in the state in 2018 to enhance privacy rights and consumer protection for residents of California.
Many other states have pending legislation related to data protection and privacy, and some of these might be enacted in the near future.
Then there’s the American Data Privacy and Protection Act (ADPPA) a proposed federal online privacy bill that would regulate how organizations keep and use consumer data. The bipartisan bill is the first American consumer privacy bill to pass committee markup. ADPPA would regulate how organizations keep and use consumer data. It has several main principles, including data minimization, individual ownership, and private right of action. The burden of evaluating each organization’s programs would fall to the organization.
As the first federal user data privacy legislation, ADPPA would largely supersede state laws such as CCPA and Colorado Privacy Act.
We’re in the midst of an environment in which governments, organizations, consumers, business partners and indeed regulators are feeling increased risk aversion and a desire for increased security consciousness, which motivates regulatory change.
Regulators, in particular, want more transparency and increased controllability from organizations in virtually all industries regarding data and how it’s used.
How to manage the risks
With all of this data privacy regulatory activity going on, how can organizations ensure they remain in compliance?
One of the most important things is to be aware of any existing and emerging regulations that apply to the company. This goes without saying for regulated industries. But really, any business needs to devote resources to evaluating the regulatory scene, including keeping up on all the latest regulatory activities that apply to the organization.
Create a team that can assess and coordinate compliance activities. Whether this team is led by the head of risk management, compliance, audit, data governance or some other executive, the CIO and the CISO need to be involved because so much of data privacy involves the IT infrastructure. Other interested parties should include the legal and human resources departments.
Close and ongoing coordination among different facets of the organization is vital because data is such an all-encompassing entity within businesses today.
Another important organizational practice is to hire the necessary compliance experts. As with any technology-related skills today, it might be a challenge to find and retain people. If this proves to be impossible, there are countless consulting firms that handle data privacy issues for companies.
Of course, it’s also important to have access to the right tools and services to help ensure data privacy compliance. These tools should be capable of identifying vulnerability and compliance exposures within a very short period of time across widely distributed infrastructure components.
Some conduct vulnerability and compliance assessments against various operating systems, applications and security configurations and policies. They provide the data needed to help eliminate exposures, enhance overall security and simplify the preparation for audits.
Compliance functions are maturing, moving from a reactive and advisory role to becoming a proactive partner with the business, according to IT consulting and services firm Accenture.
A study the firm released in May 2022 showed that there’s an increased commitment to establishing a culture of shared compliance responsibility across the enterprise. The firm surveyed 860 compliance leaders and found that nearly half planned to upskill their compliance staff to drive a culture of compliance across the enterprise, and about 40% planned to invest in new technology to achieve this goal.
More than half of the respondents said they are using leading technologies to strengthen their compliance function, and 93% said new technologies such as artificial intelligence and cloud make compliance easier by automating human tasks, standardization, and making the process more effective and efficient.
Assess the risk of your organization with the Tanium Risk Assessment. Your customized risk report will include your risk score, proposed implementation plan, how you compare to industry peers, and more.