Regulations Webinar Q&A: The Cloud, Penalties, Global Perspectives, and More
Thanks to all who attended DRI’s recent webinar, “Beyond Compliance: Getting Real About Regulations.” We received some great questions from attendees who wanted to hear more — here are the responses from speakers Bobby Williams and Al Berman.
Q: Is the approach changing for compliance adherence with the coming of cloud based infrastructure – where the customers don’t need to worry much about it as the vendor takes care of it all?
BW: The “cloud” should be looked upon as another environment that you need to protect and do “due diligence” toward resiliency. A company is still responsible for their own data and the protection of it. A contract with a cloud service provider should include a definitive and enforceable model for data protection responsibility (like the business associate agreement (BAA) in the HIPAA Final rule and HITECH ACT).
The Federal Risk and Authorization Management Program (FedRAMP) program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. (www.fedramp.gov)
Providers can offer the services to non-government entities, but each entity is responsible for ensuring that the services subscribed to are indeed incorporated by the provider.
Q: What is the process leading up to penalties (financial or other) for non-compliance and what are the penalties?
BW: Penalties could be assessed as a result of regulatory audits, discovery by authorities of undisclosed breaches, improper notification of breaches (intentionally or unintentionally), or improper data handling (companies not protecting customer information).
The Office of Civil Rights (OCR) has enforcement jurisdiction for HIPAA violations. They publish their “Wall of Shame” of breaches at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. It doesn’t list that fines assessed, but it does list the number of records. The Anthem breach in 2015 was reportedly settled for $115 Million.
AT&T was reported to have been fined $25 Million for the 2014 data breach. Target reportedly settled for $18.5 Million for the 2013 breach.
The fines are high, but the costs to reputation and man-hours spent on remediation are probably higher. Some business interruption insurance policies could reach the maximum payout before the mess is cleaned up (the Anthem breach fine was reportedly $15 Million more than the insurance policy).
Q: Much discussion around calls for more “robust” counter-measures. How can we define that in a dynamic environment?
BW: In my opinion, everything starts with a risk assessment that is thorough and up to date. The tendency of companies to use an “all hazards” approach (even though it could violate laws and regulations) may result in lack of complete understanding of the threat environments. Larger companies are spending more on Cybersecurity than on BC and DR combined because that is the greater threat in their risk register (or the minds of executives). Some smaller companies or not very savvy companies tend to believe that BC or DR programs will protect them. They sometimes find out too late that Cybersecurity threats are a little different and the protection requires some specialized attention.
Even though we think that the environment is dynamic, there are some best practices (NIST SP 800-53 Rev 4 is a great place to start in the InfoSec realm) that should be implemented. Remember, the bad guys are usually getting in by using well known and documented techniques that shouldn’t exist in a corporate environment.
Non-cybersecurity threats can be addressed if known in a dynamic environment. However, if we don’t know the threat, how can we mitigate it?
Q: How can we engage people to have resilient mindset without enforcing regulations?
BW: As BC and DR professionals, it seems that we spend a huge amount of our career trying help our company do the right thing. When we institute a program (professional practice 1), we “establish the need for a BC program”. Don’t we usually list the laws and regulations that are pertinent to our business/industry? We can’t simply say that we need to do it because “it is the right thing to do”. However, it should be done for just that reason.
Some say that people with a resilience mind set are thinking differently that normal people (okay, so maybe the just say that about me). It must be a corporate culture and priority to be resilient. No business leader wants their business to fail, but watch their eyes glaze over when you bring up BC/DR. It just isn’t “exciting” to them.
Many successful BC/DR practitioners have found that engaging company leadership in thought provoking exercises helps the leaders to understand the importance of a robust resilience program.
Another technique is to help employees understand that they need to have a home resilience plan for their family. We don’t have to turn everyone into a prepper, but why not help folks understand the natural threats to their homes and how to prepare for 3 days off the grid.
When people understand the concept, they really try to incorporate it into every aspect of their lives.
Q: How would the DRI Hub of Resilience enable conformity to Compliance & Regulations?
AB: The Resilient Enterprise process does exactly that.
The process involves measuring an organization against its approved governance and policies & procedures. However, if DRI finds that an organization is not in compliance with regulations governing its activities, DRI will cite the regulations and provide recommendations for becoming compliant.
One client actually asked that we audit it against regulations from 7 different specific countries, in addition to assessing it against its own governance and Policies & Procedures. For this customer, we created a separate set of questions that mapped its process to each of the regulations. Where we found the company to be in compliance, we cited the document reference, for those not in compliance we made recommendations to help it become compliant. Not only did this help improve the compliance for the organization, it also made the actual audit much easier to show compliance.
Q: How should we monitor all these burgeoning compliance and acts especially from third world countries, Europe and political motivations?
AB: This is an extensive endeavor, that does require an organization to maintain a constant vigil. The process should start with determining to which industry regulations the company is required to comply. Then add the countries in which the company operates. Finally, understand that with the expansion of supply chain supplier/vendor regulations the compliance picture broadens out by, in some industries, suppliers/vendors must comply with their customer regulations. So, it is important to understand, not only your organization’s requirements, but those of your customers.