Barely six weeks ago, the WannaCry ransomware attack swept across the globe. Last week, another ransomware attack, called PetyaWrap, broke out in Russia and quickly spread worldwide, shutting down the shipping giant, Moller-Maersk, among many others. These incidents are stark reminders of the times we live in. Cyber threats are real; they are indiscriminate; and they have the potential to disrupt or shut down businesses completely. Businesses everywhere are being forced to reexamine their cybersecurity efforts, update policies, expand user training, and implement new safeguards to protect their systems and data.
However, rising to meet the challenges posted by threats like WannaCry and PetyaWrap isn’t the only pressure businesses face regarding their technology and information security. Regulatory agencies, insurance providers, and even their own customers are, in one form or another, requiring assurance that businesses are taking steps to address the risks posed by cyber threats.
Government regulationsregarding IT primarily focus on the protection of Personally Identifiable Information (PII), and/or Personal Health Information (PHI). (PII is any data that can be used to contact, locate or identify a specific individual, either by itself or combined with other sources that are easily accessed; PHI is any health information that is individually identifiable.) These regulations are designed to ensure businesses keep this information private and secure.
Regulators are focused on the security of data both “in transit and at rest,” meaning they are concerned about the management of data throughout its entire lifecycle: who has access to it, who it is shared with and how, and that it is protected from loss or corruption.It’s not enough to keep data safely under lock and key. Businesses must provide evidence that their policies and procedures are sophisticated enough to ensure data stays private and secure, no matter how it is used, for the entire time the business has possession of it.
Increased Scrutiny from Insurance Providers
Even before PetyaWrap, insurance companies were reporting a surge in cyber insurance claims, part of a larger trend involving the spread of ransomware and similar cyberattacks. A year ago, ransomware accounted for just over a tenth of cyber insurance claims, according to CFC Underwriting. Today, ransomware attacks account for 25% of all cyber insurance claims.
Insurance providers are responding to this shift with increased scrutiny of IT operations. They are asking more detailed and pointed questions about the technology infrastructure they are insuring. What was once a one-page form is now twelve, and the wrong answers to some questions generate even more follow-up questions and directly impact the cost of the insurance protection.
Even if a business isn’t directly affected by regulatory compliance and doesn’t yet see the need for cyber insurance, that doesn’t mean their customers aren’t affected by regulations. And those businesses that are affected by compliance issues and cyber insurance requirements are passing them along to the vendors with whom they work.
This is perhaps best illustrated by example. Not long ago, a customer approached us with a problem. During the sales process, a new prospect had asked our customer’s VP of Sales to complete a questionnaire detailing their IT policies and procedures. Before the prospect would entrust our customer with the data needed to start an engagement, they wanted to know their data would be safe. A few months later, it happened again. Although our customer isn’t currently under any regulatory compliance obligations, their prospects are pushing compliance issues back to them.
If recent headlines weren’t motivation enough, businesses are facing increasing pressure from government regulators, cyber insurance providers, and even their own customers to implement stronger IT policies and procedures. In future blog entries, we will explore these policies and procedures in detail along with the new services we are developing to help our customers respond to the growing demands placed upon them. Have an cybersecurity question today? Contact us us to learn more.