The government keeps making it harder for business leaders to kick the cybersecurity can any further down the road. Another round of new cybersecurity laws affecting the insurance industry, for example, continues the trend of state and federal bodies giving businesses not-so-gentle pushes to get their data policies in order.
So far in 2021, three more states have passed laws that step up cybersecurity requirements in the insurance industry, bringing the total to at least 14 states that have implemented laws based on a model drafted by the National Association of Insurance Commissioners. In the spring of 2021, Iowa passed a new cybersecurity law to go alongside new laws in Maine and North Dakota. Several other states have pending legislation based on NAIC’s model.
Most of the recently passed laws start taking effect in early 2022, with some aspects delayed until 2023. The U.S. Treasury Department has asked all states to pass laws based on NAIC’s model by 2025. After that, it’s likely that the U.S. Congress would pursue legislation to close any remaining gaps at the state level. In 2021, 44 states introduced or considered more than 250 bills and resolutions dealing with cybersecurity.
Meanwhile, President Biden signed an executive order in May 2021 that steps up the federal government’s cybersecurity game by strengthening standards for government systems, requiring better security measures from software developers and creating an incident review board that will investigate major breaches in an effort to prevent future problems.
And the Defense Department is currently rolling out its new CMMC standard, which requires 300,000 companies at all levels of the DoD supply chain to get third-party certification that their cybersecurity policies are up to par.
All this government action to harden information security defenses points to a quickly dying “it won’t happen to us” mentality. The last six months have produced headline-grabbing demonstrations of America’s gaping cyber holes as seen in breaches of SolarWinds and Microsoft Exchange Server and the ransomware attack that shut down the Colonial Pipeline.
Perhaps the strongest indication that both government and businesses are getting serious about cybersecurity is the bipartisan support regularly seen for the new laws. Iowa’s new insurance law, for example, passed during its first legislative session with a total vote of 137-0 in the House and Senate before being signed into law by Republican Gov. Kim Reynolds.
Michael Daniel, President/CEO of the Cyber Threat Alliance, told the Washington Post in 2020, “Most of cybersecurity is a nonpartisan issue. It’s one of the few things that’s true of in Washington.”
The challenge with any of these laws, of course, is that they deal with a rapidly shifting tech landscape. That means private organizations must continue to actively drive their own security policies rather than count on compliance with dated regulations to keep them safe.
NAIC saw the problem growing back in 2016 and decided to push for change in the wake of major insurance-industry breaches that compromised the personal information of millions of consumers. After seeking input from insurance regulators, consumer representatives and the insurance industry, NAIC released its model regulation.
These NAIC-inspired laws typically apply to any organization licensed by the state department of insurance, including insurers and insurance agents. If your state has passed legislation based on the model law, read the details. Several states have modified the template in important ways. For example, in various states the required deadline for notifying the state of a breach is 72 hours, three business days or 10 days.
Note that most of these laws exempt smaller companies from the requirements. Iowa, for example, exempts companies with fewer than 20 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Under Iowa’s new law, all other organizations licensed by the insurance commissioner must:
Clearly, the regulatory landscape for cybersecurity is changing by the month. For help in understanding how new laws affect your organization—and what requirements are on the near horizon—contact Pratum today.
No matter which framework your organization uses to determine risks to information assets, understanding vulnerabilities and threats plays an integral role. With the sheer breadth of known vulnerabilities and (potential) threats, not to mention the ever-growing variants of identified malware, it’s important to narrow down information into a usable amount that can be used for risk analysis efforts. Your organization’s vulnerability and threat information needs may vary over time, but it’s good knowing that there are several sources available, including those described below.
Before you can start researching how to fix vulnerabilities in your system, you must identify which ones affect you. Ongoing vulnerability scanning provides a regular, automated review of your system that produces a report of known vulnerabilities you need to address ASAP.
Pratum recommends that you perform vuln scanning at least monthly. If selecting and managing a scanning tool sounds like more than your staff can handle, you can build vuln scans into an information security contract with a provider like Pratum and let dedicated security analysts tailor your scans and review the results.
Once you have a list of vulnerabilities present in your system, you can use the resources below to look up the vulnerability by name and learn best practices for remediating it. (When Pratum reports scan results to clients, we reference the CVE ID for each vulnerability so that clients can go research the details. See the next section for a link to the CVE database.)
We also recommend considering a Managed XDR solution, which brings next-gen threat detection and response to your environment. Managed XDR not only looks for known vulnerabilities, but uses artificial intelligence and machine learning to identify and shut down anomalous activity, providing additional protection against zero-day threats.
Two of the leading resources for understanding vulnerabilities are the National Vulnerability Database provided by NIST and the Common Exposures and Vulnerabilities (CVE) database, which is sponsored by the U.S. Department of Homeland Security and CISA. Both resources let you look up known vulnerabilities and learn from others about each vulnerability’s characteristics and remediations.
The ISACs, organized through the National Council of ISACs, provide sector-specific threat and mitigation information for their member organizations. ISACs started to form after Presidential Decision Directive-63 was signed (May 1998), requesting that each critical infrastructure sector establish organizations for sharing information about threats and vulnerabilities. There are now 25 ISACs, covering a range of sectors, including healthcare, finances, retail, education, and emergency services, among others. This page provides a list of all the ISACs and their descriptions.
Palo Alto’s site is another database that lets you perform detailed searches based on a vulnerability’s name, its severity, products it impacts, etc.
The US-CERT provides a variety of threat information, alerts and tips. This site from the Cybersecurity & Infrastructure Security Agency also provides information about product updates from companies such as Apple, Adobe, Cisco, and VM Ware. In addition, you can find information about other organizations that share vulnerability and threat information on the site.
The Federal Bureau of Investigation partners with members of the private sector to provide an information-sharing organization known as InfraGard, which focuses on protection of critical infrastructure. Chapters nationwide regularly hold InfraGard meetings to present and exchange information about vulnerabilities and threats applicable to national security. All members, regardless of the industry or company they represent, must undergo a background check prior to gaining access to the organization’s portal and meetings.
This site from a well-known cybersecurity training provider describes itself as “a semiweekly executive summary of the most important cyber security news articles published recently. Each news item is annotated with important context provided by respected subject matter experts within the SANS community.” With a free membership, you receive access to the NewsBites newsletter, research, webcasts and more.
Visit this site for updates on security issues related to one of the world’s leading networking platforms.
Several industry associations focus specifically on information security, auditing, and risk. Association chapters provide great opportunities for networking with other information security professionals. Presentations and discussions at chapter meetings can be useful for maintaining awareness across myriad topics, including the latest threats and mitigations measures. This list from Cybercrime Magazine provides a useful list of groups around the country.
No matter which sources you use, your risk analysis efforts can benefit by having multiple choices for vulnerability and threat information. Within our daily schedules, we may not always find time to stay abreast of the latest information, so it’s good to build in various vulnerability and threat assessment activities into your routine. To adequately determine risks, an organization must understand its vulnerabilities and potential threats.
If you need help creating a plan for monitoring and remediating the risks in your environment, contact Pratum to find out how our consultants can support your team.
If your customers want proof that you handle data securely, a SOC 2® report provides one of your best options. This industry standard continues to gain momentum as a way for companies to ensure that every vendor in their supply chain maintains proper security controls. For many companies, a SOC 2® report has become a requirement to win and keep contracts with key clients.
Getting your SOC 2® report isn’t a quick decision or process, so you’ll have to make a plan for how you will prepare for a SOC 2® exam. SOC 2® Type II represents a significant investment of time and resources, as the process typically takes at least a year, culminating with an audit by a Certified Public Account (CPA) firm. (If you’re unfamiliar with the overall SOC 2® process, read this blog for a summary.)
As you consider how to prepare for a SOC 2® exam, you have a couple of key decisions to make:
Should you hire a readiness consultant or try to prepare for the exam on your own?
Should you take the auditing firm’s offer to handle both readiness and the actual audit?
After helping dozens of companies prepare for their SOC 2® exams, Pratum has seen all the possible scenarios for handling this critical process. Here are several key points to keep in mind.
If you’re considering how to prepare for a SOC 2® exam, contact Pratum today to learn more about how we can help you plan an engagement that’s efficient and effective in growing your business.