Pratum Blog

Scale with text overlay How Will New Cybersecurity Laws Affect Your Organization

The government keeps making it harder for business leaders to kick the cybersecurity can any further down the road. Another round of new cybersecurity laws affecting the insurance industry, for example, continues the trend of state and federal bodies giving businesses not-so-gentle pushes to get their data policies in order.

So far in 2021, three more states have passed laws that step up cybersecurity requirements in the insurance industry, bringing the total to at least 14 states that have implemented laws based on a model drafted by the National Association of Insurance Commissioners. In the spring of 2021, Iowa passed a new cybersecurity law to go alongside new laws in Maine and North Dakota. Several other states have pending legislation based on NAIC’s model.

New Rules Will Keep Coming

Most of the recently passed laws start taking effect in early 2022, with some aspects delayed until 2023. The U.S. Treasury Department has asked all states to pass laws based on NAIC’s model by 2025. After that, it’s likely that the U.S. Congress would pursue legislation to close any remaining gaps at the state level. In 2021, 44 states introduced or considered more than 250 bills and resolutions dealing with cybersecurity.

Meanwhile, President Biden signed an executive order in May 2021 that steps up the federal government’s cybersecurity game by strengthening standards for government systems, requiring better security measures from software developers and creating an incident review board that will investigate major breaches in an effort to prevent future problems.

And the Defense Department is currently rolling out its new CMMC standard, which requires 300,000 companies at all levels of the DoD supply chain to get third-party certification that their cybersecurity policies are up to par.

Breaches Drive Action

All this government action to harden information security defenses points to a quickly dying “it won’t happen to us” mentality. The last six months have produced headline-grabbing demonstrations of America’s gaping cyber holes as seen in breaches of SolarWinds and Microsoft Exchange Server and the ransomware attack that shut down the Colonial Pipeline.

Perhaps the strongest indication that both government and businesses are getting serious about cybersecurity is the bipartisan support regularly seen for the new laws. Iowa’s new insurance law, for example, passed during its first legislative session with a total vote of 137-0 in the House and Senate before being signed into law by Republican Gov. Kim Reynolds.

Michael Daniel, President/CEO of the Cyber Threat Alliance, told the Washington Post in 2020, “Most of cybersecurity is a nonpartisan issue. It’s one of the few things that’s true of in Washington.” 

The challenge with any of these laws, of course, is that they deal with a rapidly shifting tech landscape. That means private organizations must continue to actively drive their own security policies rather than count on compliance with dated regulations to keep them safe.

A National Model for New Laws

NAIC saw the problem growing back in 2016 and decided to push for change in the wake of major insurance-industry breaches that compromised the personal information of millions of consumers. After seeking input from insurance regulators, consumer representatives and the insurance industry, NAIC released its model regulation.

These NAIC-inspired laws typically apply to any organization licensed by the state department of insurance, including insurers and insurance agents. If your state has passed legislation based on the model law, read the details. Several states have modified the template in important ways. For example, in various states the required deadline for notifying the state of a breach is 72 hours, three business days or 10 days.

What’s in the New Insurance Regulations

Note that most of these laws exempt smaller companies from the requirements. Iowa, for example, exempts companies with fewer than 20 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.

Under Iowa’s new law, all other organizations licensed by the insurance commissioner must:

  • Conduct regular risk assessments – The assessment must identify “reasonably foreseeable” threats, identify the potential damage from those threats and determine whether sufficient safeguards are in place to prevent the threats. The risk assessment must include a review of employee training and management.
  • Develop a comprehensive, written information security program – As part of this requirement, organizations must designate a specific person responsible for managing this program. (Pratum’s vCISO service can help provide the oversight your organization needs to manage your requirements under these laws.) The information security policy must use appropriate access control measures to protect data (such as multifactor authentication), use secure software development methods and regularly monitor systems to reveal intrusions.
  • Report and investigate breaches – The law is concerned with any event that results in unauthorized access to nonpublic information about a customer such as social security number, driver’s license number or account numbers. In the Iowa law, organizations must notify the commissioner of a confirmed breach within three business days of confirming the event. In some circumstances, the organization may be required to notify consumers of the breach as well.
  • Develop a written incident response plan – The incident response plan must provide details on how the organization will deal with a breach, including information on how it will restore operations and appropriately communicate about the breach both internally and externally.
  • Submit annual cybersecurity reports to the insurance commissioner – The report will verify compliance with the law’s provisions. The commissioner can inspect all records related to the cybersecurity policies at their discretion.
  • File for exemption under HIPAA or Gramm-Leach-Bliley Act – Organizations that are subject to and in compliance with either of these acts can file for an exemption from the requirements of Iowa’s law. Pay particular attention to this provision in your state’s law, as it is not part of the NAIC model.

Clearly, the regulatory landscape for cybersecurity is changing by the month. For help in understanding how new laws affect your organization—and what requirements are on the near horizon—contact Pratum today.

Vulnerability & Threat Intelligence Information Sources

No matter which framework your organization uses to determine risks to information assets, understanding vulnerabilities and threats plays an integral role. With the sheer breadth of known vulnerabilities and (potential) threats, not to mention the ever-growing variants of identified malware, it’s important to narrow down information into a usable amount that can be used for risk analysis efforts. Your organization’s vulnerability and threat information needs may vary over time, but it’s good knowing that there are several sources available, including those described below.

Start with Vulnerability Scanning

Before you can start researching how to fix vulnerabilities in your system, you must identify which ones affect you. Ongoing vulnerability scanning provides a regular, automated review of your system that produces a report of known vulnerabilities you need to address ASAP.

Pratum recommends that you perform vuln scanning at least monthly. If selecting and managing a scanning tool sounds like more than your staff can handle, you can build vuln scans into an information security contract with a provider like Pratum and let dedicated security analysts tailor your scans and review the results.

Once you have a list of vulnerabilities present in your system, you can use the resources below to look up the vulnerability by name and learn best practices for remediating it. (When Pratum reports scan results to clients, we reference the CVE ID for each vulnerability so that clients can go research the details. See the next section for a link to the CVE database.)

We also recommend considering a Managed XDR solution, which brings next-gen threat detection and response to your environment. Managed XDR not only looks for known vulnerabilities, but uses artificial intelligence and machine learning to identify and shut down anomalous activity, providing additional protection against zero-day threats.

Vulnerability Databases

Two of the leading resources for understanding vulnerabilities are the National Vulnerability Database provided by NIST and the Common Exposures and Vulnerabilities (CVE) database, which is sponsored by the U.S. Department of Homeland Security and CISA. Both resources let you look up known vulnerabilities and learn from others about each vulnerability’s characteristics and remediations.

Information Sharing and Analysis Centers (ISACs)

The ISACs, organized through the National Council of ISACs, provide sector-specific threat and mitigation information for their member organizations. ISACs started to form after Presidential Decision Directive-63 was signed (May 1998), requesting that each critical infrastructure sector establish organizations for sharing information about threats and vulnerabilities. There are now 25 ISACs, covering a range of sectors, including healthcare, finances, retail, education, and emergency services, among others. This page provides a list of all the ISACs and their descriptions.

Palo Alto Network Security Advisories

Palo Alto’s site is another database that lets you perform detailed searches based on a vulnerability’s name, its severity, products it impacts, etc.

United States – Computer Emergency Readiness Team (US-CERT)

The US-CERT provides a variety of threat information, alerts and tips. This site from the Cybersecurity & Infrastructure Security Agency also provides information about product updates from companies such as Apple, Adobe, Cisco, and VM Ware. In addition, you can find information about other organizations that share vulnerability and threat information on the site.

InfraGard

The Federal Bureau of Investigation partners with members of the private sector to provide an information-sharing organization known as InfraGard, which focuses on protection of critical infrastructure. Chapters nationwide regularly hold InfraGard meetings to present and exchange information about vulnerabilities and threats applicable to national security. All members, regardless of the industry or company they represent, must undergo a background check prior to gaining access to the organization’s portal and meetings.

SANS NewsBites

This site from a well-known cybersecurity training provider describes itself as “a semiweekly executive summary of the most important cyber security news articles published recently. Each news item is annotated with important context provided by respected subject matter experts within the SANS community.” With a free membership, you receive access to the NewsBites newsletter, research, webcasts and more.

CISCO Security Advisories

Visit this site for updates on security issues related to one of the world’s leading networking platforms.

Information Security Professional Associations

Several industry associations focus specifically on information security, auditing, and risk. Association chapters provide great opportunities for networking with other information security professionals. Presentations and discussions at chapter meetings can be useful for maintaining awareness across myriad topics, including the latest threats and mitigations measures. This list from Cybercrime Magazine provides a useful list of groups around the country. 

Staying Alert

No matter which sources you use, your risk analysis efforts can benefit by having multiple choices for vulnerability and threat information. Within our daily schedules, we may not always find time to stay abreast of the latest information, so it’s good to build in various vulnerability and threat assessment activities into your routine. To adequately determine risks, an organization must understand its vulnerabilities and potential threats.

If you need help creating a plan for monitoring and remediating the risks in your environment, contact Pratum to find out how our consultants can support your team.

10 Most Common Information Security Risks

10 Most Common Information Security Risks

These are the high-ROI jobs that should move to the front of your IT team’s to-do list.

Get it Now
Are you prepared for a SOC 2 Exam

If your customers want proof that you handle data securely, a SOC 2® report provides one of your best options. This industry standard continues to gain momentum as a way for companies to ensure that every vendor in their supply chain maintains proper security controls. For many companies, a SOC 2® report has become a requirement to win and keep contracts with key clients.

Getting your SOC 2® report isn’t a quick decision or process, so you’ll have to make a plan for how you will prepare for a SOC 2® exam. SOC 2® Type II represents a significant investment of time and resources, as the process typically takes at least a year, culminating with an audit by a Certified Public Account (CPA) firm. (If you’re unfamiliar with the overall SOC 2® process, read this blog for a summary.)

As you consider how to prepare for a SOC 2® exam, you have a couple of key decisions to make:

1

Should you hire a readiness consultant or try to prepare for the exam on your own?

2

Should you take the auditing firm’s offer to handle both readiness and the actual audit?

Facts to Consider Before a SOC 2® Exam

After helping dozens of companies prepare for their SOC 2® exams, Pratum has seen all the possible scenarios for handling this critical process. Here are several key points to keep in mind.

  • DIY preparation is more work than you think. As you consider how much money you’ll save by not paying a readiness consultant, be sure to factor in the extra workload that SOC 2® prep will put on your internal team. To keep up with all the other work that keeps happening, you’ll probably have to bring in additional temp help or postpone some projects.
  • An unfavorable SOC 2® report is costly. Auditors report what they find during the exam. They won’t comment on how you plan to fix any shortcomings in your security controls, and the process does not include a grace period for you to correct gaps before the report is issued. So if you have gaps, potential customers will read about them when they ask to see your SOC 2® report. (The report includes a place known as “Management’s Response” where you can comment on noted deficiencies, but the auditors won’t weigh in on your statements.)
    After you fix gaps, you’ll have to pay for another audit to get a report that shows that you now handle every area acceptably. The cost of a second audit will exceed what you would’ve paid a readiness consultant to help you get the desired result on the first try. Plus, a second Type II audit will probably take at least another 6 months. Are your current and potential customers willing to wait that long for you to get a SOC 2® report that satisfies them?
  • All-in-one services are rarely experts in everything. Some large CPA firms also offer cybersecurity services and will offer to help with both readiness and the audit. For simplicity’s sake, hiring one firm to handle the entire process certainly sounds attractive. (SOC 2® rules dictate that only CPA firms can perform the exams, so only CPAs can offer all-in-one service.) But the staffs of accounting firms rarely provide the deep expertise you get from a dedicated cybersecurity consulting firm. We’ve seen the best SOC 2® results come by teaming a cybersecurity consultant and a CPA firm that regularly work together on engagements. Because the teams collaborate frequently, you get all the benefits of a smooth process while tapping the expertise of pros from each category.
  • Cybersecurity consultants add insights from dozens of other clients. Consulting teams like Pratum’s take a deep dive into your business and its specific risk factors to help you develop the most applicable control sets during SOC 2® scoping. Their recommendations include best practices accumulated through engagements with numerous other clients. When you’re focused on getting your SOC 2® exam right the first time, you want support from experts that prepare dozens of companies for SOC 2® each year.
  • Proper scoping advice determines the outcome. Uninformed scoping can make a SOC 2® engagement harder, longer and more expensive than it needs to be. Readiness consultants help ensure that your engagement covers exactly what it needs to—but no more. A good consultant will have solid relationships with the auditors and will bring them into the scoping process to ensure that all sides agree on the rules of engagement before the work starts. If the scoping is inaccurate or vague, the auditors may dive into parts of your company that they don’t need to look at. Poor scoping also may leave out key elements that your clients want to see in the final report, which means you could spend a lot of money generating a report that doesn’t even speak to what your customers want to know.
  • Readiness consultants know what’s on the test. Nobody likes to guess about what they’ll be reviewed on. Experienced readiness consultants have dealt with enough auditors to know what they’re going to ask, what information they’re going to request during the fieldwork, etc. In many cases, readiness consultants work with the same specific people at the same CPA firms on multiple occasions. This familiarity between them makes your engagement go even more smoothly.
  • You need an advocate during the exam. Even if you’re working with a reputable, well-intentioned auditor, you’ll almost inevitably have some disagreements. In most SOC 2® engagements, clients almost always feel that the auditors are exceeding the agreed-upon scope in some areas. Or the client might feel that the auditor is incorrectly declaring a control insufficient because they don’t understand the scenario in which it’s being used. A good readiness consultant maintains a friendly relationship with the auditor—but makes clear that their job is to protect your interests. They will present your case to the auditor and provide supporting information to show them your point of view.

If you’re considering how to prepare for a SOC 2® exam, contact Pratum today to learn more about how we can help you plan an engagement that’s efficient and effective in growing your business.

What to Expect with SOC 2®

What to Expect with SOC 2 White Paper

Pratum has years of experience assisting companies with their SOC 2® process, and this document provides an overview of what we’ve learned about helping companies get a favorable report on the first try.

Get it Now
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.