In 2007, I was invited to a Payment Card Industry Security Standards Council (PCI SSC) meeting with representatives from victims of recent data breaches. During the meeting, one victim CEO demanded to know how they could have been breached despite being compliant with the PCI Data Security Standard (PCI DSS). I broke the silence by politely telling him what the other practitioners in the room already knew - that compliance with PCI DSS, or any other framework, cannot prevent data breaches. As you can imagine, he adamantly disagreed, and while his assertion may have partly been a legal strategy to limit liability, he raised an important point: why are we spending all this time and money on compliance if it is not going to prevent breaches?
The reality is that compliance alone cannot equal security. This is a mantra seized upon by the cybersecurity industry for a while now, drawn from pragmatic caution from solutions providers and validated by countless front-line experiences of intrusion responders alike.
Cybersecurity regulations come in all shapes and sizes. Some regulations seek to protect a specific type of information or industry (e.g., PCI-DSS for merchants, HIPAA for healthcare providers). Others attempt to protect more broadly defined data. Issuances often overlap, creating a complex web of obligations at different levels of abstraction. Financial institutions alone can be subject to over 2,300 specific cybersecurity regulations(1). This compliance overhead has been thrust upon organizations of all sizes and industries, including many that have a limited budget to implement the required controls and perform annual audits. And despite the unending stream of new regulations, data breaches are only becoming more and more common.
Compliance can also foster a major disconnect where favorable audit results provide a false sense of security, as we have seen on many of our incident management cases this year. In a recent example, one client had built a security program outpacing their industry’s average, yet was hit with a ransomware attack. When pressed how that was possible by the company’s CEO, the CIO’s response was telling. The CIO indicated that, because of a recent strong compliance audit, they had no reason to look for the preventable cause of the breach. This underscores that compliance-driven security audits are not properly focused on assessing the most impactful controls.
With the challenges and limitations of compliance as the backdrop, we are now seeing savvier underwriting from insurance carriers as they more clearly understand the actual risks that insureds are up against. Unlike compliance frameworks, which are categorically static, underwriters can quickly respond to shifts in the cyber risk landscape. In 2021 we have seen carriers begin to require specific controls, such as multi-factor authentication (MFA), just to obtain renewal pricing. In one case, we had a client liken this type of requirement to extortion, likely an emotional response, but this is another dynamic to be dealt with, like compliance, in order for organizations to operate without taking on too much risk themselves. To use an analogy, this is similar to when an auto insurance carrier requires airbags to get preferred pricing. Either way, the landscape is definitely changing. Recently, Lloyd’s of London indicated that it will not cover cyber-attacks attributable to nation-states threat actors. We have also witnessed certain insurance carriers not offer policies for entire verticals deemed “too risky.”
In 2021, we saw the formation of CyberAcuView, a company dedicated to enhancing cyber risk mitigation efforts across the insurance industry. Made up of a consortium of cyber insurers, the focus will be on providing best practices to improve resilience, engaging with regulators to counter cybercrime / ransomware, and analysis of trends to identify critical controls and inform policyholders on loss prevention strategies. Initiatives like this should help to bridge the gap between regulations and the practical application of recommendations to make things more efficient and effective when it comes to proactive controls to detect, respond, and recover from attacks.
The threat of losing cyber insurance coverage may finally be the thing that drives organizations to take greater ownership of their cyber risks. We expect coverage concerns to drive more interest with senior leaders to take a much closer look at resilience than compliance-driven regulations could ever accomplish. But this does open an opportunity for government to leverage the insurance industry to help guide and shape a new approach to ensuring robust cyber protection that offers flexibility, responsivity, and data-driven assurances not possible with traditional compliance frameworks.
As Vice President of Technical Advisory Services, Jeff leads MOXFIVE's team of expert Technical Advisors who provide strategic incident management services and solutions to clients. Prior to MOXFIVE, Jeff was the Director of Cyber Defense and Incident Response at RSA Security, joining RSA through the NetWitness acquisition in 2011 where he helped build the Incident Response Practice from the ground up. Jeff has held other leadership positions including Delivery Manager for Emergency Response Services at IBM where he was instrumental in getting IBM ISS listed as a PCI Qualified Incident Response Assessor (QIRA) in 2006 during the acquisition of Internet Security Systems and assisting with the integration of the teams through the transfer of trade. Before moving into practice leadership roles, Jeff was a Principal Consultant (Incident Responder) with Internet Security Systems and has held various other positions as a Security Engineer, Security Analyst, and Security Auditor. Jeff has a Master of Forensic Sciences in High Technology Crime Investigations from the George Washington University, and a Bachelor of Science in Business Administration from Old Dominion University. He is a Certified Information Security Manager(CISM), Certified Information Systems Security Professional (CISSP, and a Certified Information Systems Auditor (CISA). Jeff currently resides in Virginia Beach with his wife and three children.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.