Perfect the basics
Businesses in 2020 wrestled with understanding if, when, and how they should invest in achieving compliance. Actions varied wildly across industries and revenue segments.
The rapid changes forced by COVID-19 only served to broaden pre-existing compliance gaps, and potentially generate new ones. A fictional, but entirely realistic example could be a healthcare organization that may have swiftly launched telemedicine to save lives, and in doing so may have brushed off some elements of HIPAA compliance. Or a retailer that might have signed a dozen third-party contracts to rapidly scale a digital storefront, forgoing cyber security due diligence. Now is the time to fix past missteps and perfect the basics to ensure future success.
Entering 2021, change is underway. Impelled by the SolarWinds breach, United States President Joe Biden proposed USD 9 billion in funding to bolster the work of the country’s Cyber Security and Information Security Agency (CISA). Section 230 of the US Communications Decency Act is likely to be revisited, as individuals across both sides of the political divide want to know that technology companies are accountable.
Additionally, falling into line with the European Union’s General Data Protection Regulation (GDPR) needs to be a centerpiece of any cyber security plan. Data privacy regulation mirroring GDPR will continue to emerge, and in May 2020 we saw Thailand’s Personal Data Protection Act (PDPA) take effect. Similarly, the US California Privacy Rights Act (CPRA) became law at the end of 2020, expanding and amending the original California Consumer Privacy Act (CCPA), to become the most restrictive data protection law in the US.
As the digital evolution intersects with medicine, the healthcare industry will see more regulatory demands. The new EU Medical Device Regulation (MDR) is mandatory, and requires manufacturers to take into account principles of risk management, including information security, as well as protection against unauthorized access.
It is complicated at best, and organizations navigating regulatory risk must be mindful. Compliance does not equate to security; the standards just set the baseline. Best security practices will require bespoke solutions based on specific business needs and activity, and may extend past governing standards.
Organizations have yet to perfect the basics when it comes to managing current and pending regulatory challenges.
Explore key risks arising from compliance gaps, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.
*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas.