ZenGRC

Simply Powerful GRC

Libby Bevin

SEC’s Push for Better Cyber Governance

· ·

This article first appeared on radicalcompliance.com March 28th, 2022

Today I want to revisit the SEC’s proposed new rules requiring public companies to disclose more about their cybersecurity risks. Those plans would obligate companies to discuss how the board and senior management address cybersecurity risk at a strategic, enterprise level. What’s that all about?

In a previous post about the SEC proposals, I considered some of the challenges around assessing and disclosing “material cybersecurity incidents.” Those challenges, however, are mostly tactical in nature: your company suffers a specific incident, and senior executives (including compliance and audit leaders) need to decide what to do about it. To a certain extent, that’s an easier hill to climb.

These other SEC proposals are more about the company’s overall governance, and how your governance structures address modern cybersecurity challenges. Who is responsible for what cybersecurity risk management practices? What are those risk management practices, anyway? How do the board and senior management assure that they’re properly briefed on what cybersecurity risks are afoot in your enterprise?

Those are important questions to answer. When the SEC adopts final cybersecurity disclosure rules presumably sometime later this year, the governance requirements could prompt some deep conversations at companies that haven’t yet fully considered how they should address cybersecurity. Compliance and risk officers should understand what the SEC is trying to achieve here, so you’ll be prepared should those deep conversations happen at your enterprise.

What the Proposed Requirements Are

The text of the SEC proposal divides these disclosures into several categories. First would be disclosures about the company’s cybersecurity risk management. Among other things, you would need to disclose whether:

  • The company has a cybersecurity risk assessment program and if so, provide a description of such program;
  • The company engages assessors, consultants, auditors, or other third parties for that risk assessment program;
  • The company has policies and procedures to identify and oversee cybersecurity risks posed any third-party service providers, including whether and how cybersecurity considerations affect your selection of those providers;
  • The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  • Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation.

Second, the company would need to make disclosures about its governance of cybersecurity issues, right in the boardroom. So the disclosures would need to discuss:

  • Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
  • The processes by which the board is informed about cybersecurity risks, and the frequency of its cyber discussions; and
  • Whether and how the board or board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.

And third, the company would need to disclose management’s role in assessing cybersecurity risk and implementing necessary policies and procedures. So those disclosures would cover issues such as:

  • Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, including the prevention, detection, and remediation of cybersecurity incidents;
  • Whether the registrant has a designated chief information security officer, and if so, to whom the CISO reports within organizational chart and the CISO’s relevant expertise; The processes by which such persons or committees are informed about and monitor cybersecurity incidents; and
  • Whether and how often management reports to the board of directors or a committee of the board of directors about cybersecurity risk.

That’s a lot of material to ponder, document, and put into the 10-K. To see the bigger picture here, however, we need only focus on one word in the proposed requirements – a word that does more work than anything else in the entire 129 page-document.

“Whether.”

Taking Cybersecurity Seriously, or Not?

By including the word “whether,” the SEC is giving companies the option to tell investors that the company has not yet developed a thoughtful approach to managing its cybersecurity risks – except, who wants to be the loser who admits that in the 10-K?

For example, companies would have to disclose whether they have policies and procedures to identify cybersecurity risks posed by third-party service providers. Imagine being the company that tells investors it does not have such procedures, when so many breaches happen via a cloud-based provider your enterprise uses (and usually those breaches are the most serious). You would be admitting a major weakness in your oversight of cybersecurity. Privacy regulators would certainly note that fact if you later suffer a privacy breach, and so would class-action lawyers when the inevitable civil litigation follows.

So by giving companies the option of disclosing that they are not taking certain cybersecurity risk management steps, the SEC is really driving companies toward taking those steps. That’s the goal here: to use the power of disclosure to make boards and senior executives confront cybersecurity risk in a disciplined, systemic way.

Indeed, I can’t help but wonder whether the SEC is pushing companies to treat cybersecurity risks in the same way that companies treat financial reporting risks. That is, financial reporting is a core responsibility of every public company, and the board must assure that financial reporting risks are kept in check. You can’t have reliable financial reporting without some mechanism to govern financial reporting risks.

By the same token, one could argue that cybersecurity is now a core responsibility of every public company: that effective use of IT is so fundamental to modern business, you can’t have reliable operations without some mechanism to govern cyber risks. And investors need some discussion of that in the 10-K, just like they have discussion of accounting policies, controls and procedures, and audit committee expertise.

I appreciate that the comparison only goes so far. In financial reporting, boards need to make qualitative disclosures under Regulation S-K to help assure that quantitative disclosures (financial data) reported under Regulation S-X are reliable. Cybersecurity doesn’t have that second half of the equation; there are no quantitative disclosures about data breaches or cloud-based providers.

Fundamentally, however, we can’t deny the reality that in our technology-dependent world, cybersecurity risk and operational risk have fused into one thing. Banking regulators already pretty much concede this point, because when they talk about threats to operational risk management, it’s a discussion of cybersecurity threats all the way down. Nobody should be surprised that the SEC is slouching toward this conclusion, too.

So what will companies need to do here? Watch the SEC’s proposed regulations carefully, and prepare for probing conversations with your board, CISO, legal team, and others in your enterprise once final rules are adopted.

You’ll likely need to have long talks about who is in charge of which cyber risk management duties, and what policies and procedures you should put in place. Then you’ll need to document all that work for inclusion into the 10-K. Perhaps in another post we can talk about the specifics of that effort, since it could be a big lift for some companies.

Then again, with the way technology and risk are going – most companies will need to put that structure and discipline in place anway, SEC requirements or not.

What is Compliance in Cybersecurity?

· ·

Definition of Compliance

Businesses are required to comply with all relevant government laws, rules, and regulations, including those rules and regulations about data privacy. There is no choice here; either the organization complies, or it risks losing permission to operate.

The requirements themselves can range from laws such as the Health Insurance Portability and Accountability Act (HIPAA) and all its attendant regulations; to industry mandates such as PCI DSS regulations, which guide how a company processes credit cards. To run your company efficiently, you’ll need to understand what kinds of data you’re processing as well as what regulations are required of your industry.

Types of Data Subject to Cybersecurity Compliance

A data breach can be potentially devastating to your company, and the types of information you store and process will determine how valuable that data is to potential hackers.

Broadly speaking, cybersecurity compliance is concerned with three categories of data:

Personally Identifiable Information (PII)

This is any information that could be used to identify an individual. Examples of PII include names, addresses, and government identification numbers like Social Security or driver’s license. It can also include photos, genetic information, or other data.

Personal Health Information (PHI)

PHI is medical information that is identifiable with a specific individual. PHI and PII do overlap, although PHI focuses on insurance information, healthcare records, and other information that could be stolen from a medical provider.

Financial Information

Similarly, financial information encompasses PII but is specific to financial data. This includes bank account and credit card numbers, or any other information related to money or the transfer of funds.

How to Create a Cybersecurity Compliance Program

Your cybersecurity compliance program will be unique to your company and depend largely on the type of data you process and the regulatory requirements that pertain to your industry. Some of the major compliance standards that might apply to your cybersecurity program include:

NIST

The National Institute of Standards and Technology has a variety of compliance standards and guidelines that regulate information security for government agencies. Various laws require organizations to meet NIST standards to satisfy cybersecurity expectations. Compliance with NIST standards will often serve as a solid foundation for other compliance measures.

HIPAA

These requirements, designed to protect patient privacy in the healthcare industry, predate many modern cybersecurity threats and have grown and changed since first enacted in 1996. The increasing use of the Internet of Things (IoT) in the medical field has made cybersecurity compliance with HIPAA regulations more important than ever.

GDPR

The General Data Protection Regulation governs the treatment of personal data for citizens of the European Union. Even if your company is not located in the EU, you might be subject to these regulations, depending on the citizenship of your customer base.

PCI DSS

Developed and overseen by the major credit card companies, this framework regulates the processing and storage of credit card data. Non-compliance with PCI DSS is not illegal, but it can result in the loss of your credit card processing privileges.

ISO

The International Organization for Standardization has developed a number of standards, broken down by industry, designed to encourage consistency from country to country.

Once you’ve determined the standards with which you need to comply, the fundamental steps toward creating your program are as follows:

Identify

Your first step should be to identify the compliance requirements you must meet and how they apply to your existing cybersecurity infrastructure.

Assess

Your risk assessment process should examine the areas where changes must be made to comply with any relevant standards. Be sure to include all potential vulnerabilities in your assessment, including any third-party vendors or contractors.

Control

Next, develop the appropriate controls to prevent and mitigate cyber threats. Documenting your security controls and remediation efforts is a requirement for most compliance standards.

Monitor and Educate

Regulatory compliance is an ongoing process, and continuous monitoring will be required. Compliance regulations change over time and it’s important to make sure your controls and security measures remain sufficient. You should also enact policies that will educate your staff on cybersecurity risk so that everyone is on the same page in the event of a cyberattack.

Strengthen Your Cybersecurity With Reciprocity ZenRisk

Cybersecurity compliance can be complex, and it can be increasingly difficult to meet requirements as your company grows. To assure your company’s compliance, you’ll need a robust risk management program that will help you track risk throughout your entire organization.

ZenRisk, powered by the Reciprocity ROAR platform, is your solution. ZenRisk software gives you a real-time view of your company’s entire risk management landscape, making it easier than ever to track, assign, and control risk. ZenRisk can also provide documentation that will make proving your compliance fast and easy. Schedule a demo today to learn how ZenRisk can help create a successful compliance program at your company.

Best Practices to Mitigate Vendor Risk Within Your Supply Chain

· ·

As an organization grows, it becomes increasingly difficult to handle all workloads internally. Suppliers, service providers, and other third-party vendors are often necessary to meet your goals and to create a positive experience for your customers.

That said, outsourcing tasks to vendors also means taking on new or additional risk. The vendors’ reputational risk, financial stability, cybersecurity risk, and other concerns can quickly become problems for your organization if not handled appropriately.

Mitigating these risks and developing appropriate remediation plans is a crucial component of your company’s supply chain risk management process.

Benefits of Vendor Risk Management

Creating a robust vendor risk management program (VRM program) at your company has numerous benefits.

Ensure Compliance

Any regulatory compliance requirements that apply to your company will also apply to your vendors, and future audits will take your entire supply chain into account. You can prevent compliance issues in the future by performing your due diligence on vendors before entering into agreements with them.

Save Money

While managing your vendor risk may seem labor and cost-intensive at the start, having these safeguards in place is likely to save you time and money in the long run. Managing your vendor risk ensures business continuity and will keep you prepared for any threat that may arise in the future.

Provide Quality Service

Your vendors are a critical part of your workflow, and threats to their procedures can cause chaos within your supply chain. To provide the best quality service for your customers and clients, you’ll need to protect your operations from external threats.

Improve Relationships

Discrepancies in risk management practices can lead to complications with your vendors, as well as dissatisfaction from your customers and loss of trust from your senior management and stakeholders. Managing your risk will go a long way towards solidifying these relationships and maintaining them over time.

How to Conduct Risk Assessments for Vendors

Onboarding new vendors should include a robust third-party risk assessment to determine whether the vendors’ own risk management is sufficient.

Understand Your Risk Tolerance

Before beginning the vendor risk assessment process you should determine exactly how much risk your company is willing to shoulder. This tolerance level will be different for every company, and it will be up to your risk management team to decide the metrics by which your risks and opportunities should be weighed.

Identify Potential Risks

Understanding all the possible kinds of risks you might face is a critical part of managing vendor relationships. To determine whether these vendors meet your risk management standards you’ll need an exhaustive list of all the vulnerabilities your new vendor might cause.

Do Your Research

When hiring new vendors, look carefully at their existing security practices and risk management efforts; consider asking for a SOC 2 audit to review the vendor’s security controls and processes. Performing this due diligence up front and vetting potential vendors will save you time and money later.

Should You Automate Vendor Questionnaires?

Many companies choose to automate their vendor questionnaires, since this is usually faster and more efficient. Questionnaires can also become complicated when fourth-party vendors come into play, and automation can make this process easier and more transparent.

Creating a Vendor Risk Management Program

Every vendor risk management program will look different, and yours will likely change over time as your company grows and more contractors are brought on. To manage your vendor risk appropriately, consider the following:

Examine Your Current Vendors

An important part of managing vendor risk is determining which of your vendors are most critical to your operations. You’ll also want to examine what level of access each of your vendors needs to perform its duties efficiently.

Rank Vendors By Risk Level

Consider which of your vendors pose the highest level of risk. High-risk vendors should be monitored more carefully and controlled more tightly than those rated as lower-risk.

Continuous Monitoring

Risk management is not a one-time task. A successful program will require ongoing monitoring of vendor performance to assure that changes are accounted for and faulty controls are remedied quickly.

Control Third-Party Risk Management With ZenRisk

If you’re looking for risk management solutions for your supply chain, ZenRisk (powered by the Reciprocity ROAR platform) can help. This innovative software platform provides a thorough, real-time view of your company’s entire risk landscape – including third-party relationships.

ZenRisk also makes vendor risk management easier than ever before by automating vendor questionnaires, tracking risk assignments, and providing a single source of truth for all of your risk and compliance efforts. Schedule a demo today to learn more about how ZenRisk can streamline and simplify your third-party risk management program.

Internal Controls Best Practices

· ·

Learn to develop strong internal controls to safeguard against security threats

Internal controls protect your business from many operational, financial and compliance risks that compromise asset security and increase your vulnerability to theft. These risks can also result in operational uncertainties that disrupt business continuity and weaken competitiveness, which can ultimately decrease your ability to achieve goals and objectives.

This ebook provides an in-depth view into internal controls, types, benefits and best practices. If your organization is planning to revamp or implement a system of internal controls, download this ebook to see how to optimize these processes.

In this ebook, you’ll learn:

  • About internal control risk assessments
  • About the relationship between internal controls and risk management
  • How to assess and implement internal controls
  • Best practices for internal controls
Get the eBook

Best Practices in Cyber Supply Chain Risk Management

· ·

Management of cybersecurity threats in your supply chain should be embedded into every part of your business. Every high-risk vendor relationship or third-party supplier from the front office to the far depths of your supply chain can introduce risk to your entire business.

To be clear, supply chain risk management (SCRM) and cyber supply chain risk management (C-SCRM) are not solely the responsibility of the IT department. Instead, both are part of your business’s risk management framework, which should be developed based on the level of risk you are willing to tolerate.

When we hear “supply chain,” we think of physical components that have to be available at a particular time: materials to complete a construction project, for example. Supplier risk management involves an organization taking steps to identify, assess, and mitigate risk to the supply chain.

The cyber supply chain works the same way, without the physical parts. Instead of focusing on the delivery of nuts and bolts at a specific time, the cyber supply chain focuses on business continuity by linking software applications, information systems, service providers, and vendors together so you can get your job done.

NIST Best Practices for Cyber Supply Chain Risk Management

The National Institute of Standards and Technology (NIST) released a set of best practices for cyber supply chain risk management in 2016 and followed up with a newer paper, Key Practices in Cyber Supply Chain Management, in 2021.

NIST identifies eight supply chain risk management areas to consider when you develop a cyber supply chain risk management system (C-SCRM):

  • First, integrate C-SCRM across your organization.
  • Establish a formal C-SCRM program that is evaluated and updated in real-time.
  • Know your critical suppliers and how to manage them.
  • Understand your organization’s supply chain.
  • Collaborate with key suppliers and incorporate them in your supplier risk management program.
  • Include critical suppliers in your resilience and improvement activities as part of your vendor risk assessment process.
  • Constantly and vigorously provide continuous monitoring of your C-SCRM.
  • Have a plan for all business operations, not just for what appears to be the most critical parts of your organization’s various functions.

NIST includes a long list of potential questions to ask suppliers, vendors, and third parties about C-SCRM. In addition, vendors must have a vulnerability management program, and notify their customers on how best to mitigate discovered vulnerabilities in their products and assure security throughout their product’s lifecycle.

Common Risks for Supply Chains

Many risks can cause supply chain disruption, and those threats can have severe consequences for your business. Some of the more common risks are:

Cybersecurity Risks

Hackers can enter your supply chain at any point and then move throughout your firm. Cybersecurity breaches can also wreak havoc on your day-to-day operations. So information security should be at the forefront of your mind when considering new vendors.

Compliance Risks

You’ll need to make sure your vendor can meet any regulatory compliance requirements your company has, which will subsequently affect your supply chain. For example, suppose a vendor bribes foreign government officials on your behalf. In that case, your company will be charged with violating the U.S. Foreign Corrupt Practices Act and all the legal ramifications that it entails.

Financial Risks

When collaborating with other companies, the risk of financial loss is always present. For example, if your contractor goes bankrupt or faces its own supply issues, this could have significant economic consequences for you and your organization.

Reputational Risks

Reputational risk is the most unpredictable type of risk because incidents that affect your reputation might happen out of nowhere. Damage to your contractors’ reputations can also harm yours, so consider reputational risk when choosing providers.

Cyber Supply Chain Principles and Supply Chain Risks

NIST identifies primary principles to consider for successful C-SCRM. These considerations are comprehensive and broadly apply to critical infrastructure, business processes, and intellectual property.

Understand the Security Risks Posed by Your Supply Chain

Examine the specific dangers that each supplier exposes you to, the products or services they provide, and the value chain as a whole.

Supply chain risks come in a variety of shapes and sizes. A supplier, for example, may not have enough security, may have a hostile insider, or its employees may not correctly handle your information. Gather sufficient information to better evaluate these security concerns, such as an insider data collection report or risk assessment.

Develop Your Organizational Defenses With “Assume Breach” in Mind

Assuming a breach means an organization approaches its cybersecurity posture by anticipating that its networks, systems, and applications are already compromised. Treating an internal network as if it’s as open as the internet readies the system for various threats and compromises.

Set Minimum Security Requirements for Your Suppliers

You should establish minimum security requirements and metrics for suppliers that are justified, proportionate, and achievable. Make sure that these standards reflect not only your evaluation of security risks but also the maturity of your suppliers’ security arrangements and their capacity to achieve the requirements you’ve set.

Minimum requirements should be documented and standardized to streamline enforcement. This technique will help you lower your effort and prevent giving these parties unnecessary work.

Cybersecurity is a People, Process, and Technology Problem

People, processes, and technology are the triad of solving problems. Supply chain management also focuses on these three areas to enhance supply chain performance, make it more secure, and do more with less.

Look at the Entire Landscape

There are multiple security standards that interact with each other in a variety of cybersecurity frameworks and best practices. A few examples are the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the International Organization for Standardization (ISO) series.

To be efficient and flexible, your C-SCRM should follow the guidelines established by your third-party risk management program. That is especially important today, where outsourcing is common. Always remember that your C-SCRM program is only as good as the data security provided by your least secure third- or fourth-party supplier.

Encourage the Continuous Improvement of Security within Your Supply Chain

Encourage your vendors to keep improving their security measures, emphasizing how this will help them compete for and win future contracts with you.

Advise and support your suppliers as they seek to make these improvements. Allow your suppliers time to achieve improvements but require them to provide you with timelines and project plans.

Listen to and act on any issues arising from performance monitoring, incidents, or bottom-up supplier reports that imply current approaches aren’t functioning as well as they should.

Best Practices for Cyber Supply Chain Risk Management

An organization can employ a variety of best practices in its C-SCRM program. Best practices improve the ability to identify and mitigate potential risks over time. In addition, these practices include remediation steps to apply if you experience a data breach.

Here is a list of some of the best practices to keep in mind as you set to work on your cyber supply chain risk management program:

  • Security requirements need to be defined in requests for proposals (RFP). In addition, use security questionnaires to hone in on the current standards practiced by each bidder.
  • An organization’s security team must assess all vendors, and you must remediate vulnerabilities before sharing information, data, or goods and services with them.
  • Engineers must use secure software development programs and keep up-to-date on training.
  • Software updates need to be available to patch systems for vulnerabilities, and they must be downloaded and installed in real-time.
  • Dedicate staff that is assigned to ongoing supply chain cybersecurity activities.
    Implement and enforce tight access controls to service vendors.

Reciprocity ROAR Helps Businesses with Cyber Supply Chain Risk Management

With global supply chains, disruptions on the other side of the world directly affect procurement and sourcing, leading to business continuity and financial risks. Cyber supply chain risk management is essential in our interconnected world. C-SCRM is an integral part of an information technology program to address cybersecurity risks holistically.

Reciprocity ROAR allows you to centralize and streamline your workflows and compliance efforts – including monitoring your vendors and contractors. Questionnaires and assessments can be distributed, collected, analyzed, and stored in this integrated platform. This software provides a clear view of risk throughout your company, allowing you to track threats in real-time.

It is a single source of truth that assures your organization is aligned and audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards give visibility to gaps and high-risk areas.

Schedule a demo today to see how Reciprocity ROAR can help efficiently manage and monitor your cyber supply chain risk.