Risk Management and Cybersecurity | Matt Kelly What's Next | Expert Advice | Compliance Next

Описание: Managing cybersecurity risk is becoming more about insider threats of mishandling data. Learn more at https://goo.gl/TYnhns.

Find us online:
Twitter: goo.gl/0vYo25
LinkedIn: goo.gl/UT8wlA

Today, we're going to talk about cybersecurity and the risk management thereof, because this is one of the few areas where I suspect we are going to see - get this - actual progress from Washington this year. So first, let's look at actions taken or in motion by the new Trump administration. First, we have an executive order on cybersecurity for the federal government and that order preserves earlier language from the Obama administration directing federal agencies to use the NIST framework for cybersecurity to assess and manage their cybersecurity risks. NIST is the National Institute for Standards and Technology and really the lead federal agency for creating frameworks for cybersecurity. It has several frameworks of high quality and public pushing federal agencies in that direction is a good thing. Now, second is Congress also pushing legislation that would essentially codify the Trump administration's plans to use NIST as the go-to framework for cybersecurity. Now, this would still only apply to federal agencies, rather than private companies, but again, step in the right direction. Now shift gears to the Securities and Exchange Commission. Earlier this year, during his confirmation hearing, SEC chairman Jay Clayton hit all the tones that you'd expect to hear from a Republican nominee favoring lighter regulation - except for cybersecurity. Now publicly traded companies do already need to disclose their cybersecurity risks in SEC filings, but that guidance was updated, adopted in 2011 and it hasn't been terribly specific. Now Clayton wasn't too specific in his comments either. He only said, and I quote here, “I question whether that disclosure is where should be.” But still, this is a sign that Clayton, like almost everyone else involved in corporate governance, isn't comfortable with what corporate America is doing currently and what we should do in the future around this issue. So what should compliance officers be doing here? Okay. Two ideas. First, get acquainted with the NIST framework. It's publicly available with a ton of resources for the corporate community. For example, NIST includes explanations of how its framework maps to the cybersecurity standards enforced by federal banking regulators; also to how it might map to the HIPAA standard for personal privacy of health care information. Now NIST really should be your new best friend for assessing cybersecurity risk in implementing controls and policies to improve your situation. You, a compliance officer, you'll be able to work well with your IT security department and Lord knows the IT security department appreciates a compliance officer who can speak their language. Second, understand your role as a compliance officer for cybersecurity. And this is where things get a little tricky. Most compliance officers do play a role in disclosure of a data breach and all the compliance responses that happen after a breach happens. But according to various surveys I've seen over the years, a much smaller number of you play a role in managing cybersecurity risk before a breach happens. That split should alarm us all because we see more in more cybersecurity incidents caused by insiders mishandling data and insider threats most often result from lack of training, poor risk awareness, weak practices and handling or collecting data, and those things are not the same as an IT security officer worried about keeping outsider threats off of the network. Training for risk awareness on insider threats that is very much inside a compliance officer’s wheelhouse. So another prudent step here is to talk with your IT security officer and your HR manager and possibly others to ensure that the cybersecurity policies and training you have leave no gaps that could lead to what we would call an unwanted outcome sometime in the future. So we'll definitely hear more and we'll talk more about cybersecurity in 2017. We might even see actual legislative or regulatory action. Regardless, your board wants to know how the company is trying to stay ahead is risk and it's becoming more of a risk about people and practices than about hackers and software code. So ethics and compliance offices are going to have a lot to say about these conversations to come.

Compliance Next is the world's first member-driven think tank for compliance experts.

Give and get. That's the basic idea behind Compliance Next. You give to the community by adding your thoughts to discussions, sharing a policy you're proud of or submitting a blog post you wrote.

And in return, you get a lot: access to how-to videos, regulatory updates, expert advice, interactive quizzes and an always-growing library of amazing tools like sample policies and stats you can use for board presentations.