3 Key Takeaways About Cybersecurity and Emerging Legal Regulatory Trends
- Crisis communications can’t wait until all the facts of a cyberattack are discovered. Today, crisis communications need to be ready on day one.
- Cyber bloggers stay on top of cyberattacks by following AG (attorney general) reports to find information to create their posts, and make the cyber attack public before many companies have a chance to act.
- No longer are third-party data vendors the only one responsible when a breach occurs. AGs will hold you, the data owner, accountable for handling and reporting the third-party data breach in a timely manner.
NetDiligence® Chief Technology Officer Vinny Sakore and McDonald Hopkins Co-Chair of Data Privacy & Cybersecurity Dominic Paluzzi discuss what we can expect in regards to third-party data breaches and cyber regulatory trends in 2022.
Read a synopsis of their conversation below, and watch the video above to listen to the full interview.
Looking Back at 2021 and Discussing Cyber Regulatory Trends for 2022
VS: It’s a pleasure for us to have Dominic Paluzzi from McDonald Hopkins, one of our platinum Breach Coach firms, here today. We’re going to talk about some trends they’ve seen, as well as where he thinks things are going in 2022.
DP: Thanks, Vinny. I’ve been telling everybody that while a lot has changed, a lot has also remained the same. Obviously, ransomware is still here, but we saw a real uptick in BECs (business email compromises) and wire fraud.
Then there are third-party data breaches, which I definitely think are going to be a true trend. We can have everything safe and secure under our own roof, but then we pass that sensitive data onto a third party, and they have a ransomware attack.
Years ago, we were able to keep data security incidents quiet until we had all the facts, our forensics completed, and our notification and communication plan set. Now you’re down and out, and threat actors are posting about you right away on social media and reaching out to your employees. It’s causing more concern while you try to deal with the hour-by-hour, minute-by-minute triaging of these incidents.
VS: I remember when I was doing incident response, we used to bring in crisis communications near the end. We would say, “Hey, we’re working on a letter, we’ve got some work to do, but let’s bring you in.” There really wasn’t much to do on Day One. But now it’s going public immediately. Do you find your firm has to get involved in crisis communications earlier because your clients weren’t prepared for it to go public on Day One?
DP: Yes. Even though we’re triaging on that first call, we’re now also talking communications. Regulatory scrutiny has increased tremendously, and they want notice within hours. The days of keeping this under wraps until the end are gone.
Whether it’s your breach coach helping you or a crisis communication firm that can supplement and work with internal marketing folks on communications and developing a playbook, it’s critical, because the days of responding with “no comment” or not responding are gone. Reporters and cyber bloggers are going to run with the story as soon as they find out about it, whether you’re ready or not.
That’s another new trend we are seeing: Once we give notice to the attorneys general, cyber bloggers are posting it. They check the AG “Walls of Shame,” develop a story and go live with that information.
VS: You mention the AGs. How would you describe the regulatory environment? Are more regulators involved than before? If it was a healthcare case, you knew you were dealing with HIPAA, and it was pretty contained. But now I’ve heard the term “Wild Wild West” when it comes to which regulators kick in. Would you agree?
DP: I used that term with my team yesterday. I said it’s “Wild Wild West” amongst the state AGs—the usual suspects like Indiana and Massachusetts—but there are also new ones coming out of the woodwork who are collecting data and coming down hard with enforcement action.
And we’re seeing “Wild Wild West” on the federal side. The AGs are requesting more information on data, safeguards, policies, procedures, training, and risk assessments, and they’re asking for it a lot more quickly. It’s really important to have those pre-breach items in place.
VS: I want to shift a little to what you see going forward in 2022 for cyber regulatory trends. We’re not off to a slow start. Microsoft has already released 96 patches on Patch Tuesday.
It’s important to have our cyber hygiene priorities straight and do an assessment of our third-party vendors. How safe is our data? Which ones have the sensitive PII [personally identifiable information]? Do they have safeguards in place?
Also, can they wait two months to give you notice about an incident? More regulators will hold you to a breach notice statute of 30 days. You can’t say, “Oh, the vendor had the breach, it’s all on them.” That’s not how the law works. You are on the hook as the data owner.
VS: Anything to add for insurers and brokers in 2022?
DP: Yes. We obviously have a hardening cyber market with a more rigorous underwriting process for our insureds. The more you can show your potential insurer what you’ve done on a pre-breach side—training, tabletops, security assessments—you’ll hopefully get through that rigorous underwriting process. And it’s going to help you on the incident response side too, and hopefully help you avoid some breaches.
For more information, watch the full video above to hear Vinny and Dominic’s full discussion about cyber regulatory trends in 2022.
You can also find Dominic and some of his partners at the next NetDiligence Cyber Risk Summit conference.
If you have any questions for Vinny, reach out to him at NetDiligence.
Lastly, if you’re looking for a turnkey solution to help guide and coordinate your organization’s response to a cyber incident, click here to learn more about Breach Plan Connect® from NetDiligence.