Is Your Cyber Program Ready for Changing Regulations and Markets?
From the EU GDPR to the upcoming California privacy law, to new SEC cyber disclosure guidelines, the regulatory landscape is drastically changing—compelling businesses to re-evaluate their approach to cyber risk management, disclosure, and insurance coverage.
In a July 17, 2019 webcast, cyber leaders with Marsh JLT Specialty and Marsh Cyber Risk Consulting reviewed new regulations and the need for organizations to align compliance practices and cyber management programs with the changing regulatory requirements. They also discussed the importance of applying an enterprise-wide lens when quantifying and managing cyber exposure, a key component of regulatory compliance.
Regulatory Momentum and Implications
The speakers looked at global regulations such as the EU General Data Protection Regulation, and other countries that have introduced similar regulations.
They also looked at regulations and guidance issued by US federal and state authorities, such as:
- SEC Cybersecurity Disclosure Guidance
- GSA Cybersecurity Contractor Reporting Rules
- Health Insurance Portability and Accountability Act (HIPAA)
- SOX Cybersecurity Systems and Risks Reporting Act
- DoD DFARS Contractor Standards
- New York State Department of Financial Services Cybersecurity Regulation for Financial Institutions
- Illinois Biometric Information Privacy Act
- California Consumer Privacy Act
- California Internet of Things Cybersecurity Law
In particular, the speakers focused on how the changing scope of such regulations goes beyond privacy issues, shifting from reactive to prescriptive and extending to new, biometric frontiers; how “old” laws such as Sarbanes Oxley are being retargeted to cybersecurity issues; and how non-traditional cyber authorities such as the SEC are now issuing cyber-related guidance.
They then examined the business impact of these new regulations, and how to incorporate regulatory requirements into cyber planning. Among the best practices identified were:
- Treating data and technology issues as operational risks
- Communicating/coordinating across key stakeholders
- Board and C-suite understanding of cyber risk exposure, risk tolerance, and risk indicators
- Recognizing the growing trend of D&O lawsuits and adapting practices and policies
- Inventory of IT, data assets, and 3rd party access and risk quantification
- Enterprise-wide awareness training for employees and contractors
- Crisis response planning and testing
Regulatory Impact on Cyber Markets
The discussion then turned to insurance markets, and the implications of changing regulation on available insurance coverages and buying trends. One key trend highlighted was the changing demographics of cyber insurance buyers to include non-privacy intensive industries, such as manufacturing and power.
The fact that new regulations expand beyond privacy issues to touch on entirely new technologies will be a factor in how the insurance markets adapt coverage offerings going forward. Finally, the speakers covered how “silent cyber” has prompted in to change their coverage approach and what insurance buyers need to do to ensure their coverage stays current with the changing risk environment.
Hear Shannon Groeber, Cyber Innovation Leader; Bob Parisi, Cyber Product Leader; and Chris Hetner, Managing Director, join Advisen moderator Erin Ayers in an engaging hour-long discussion of these important and fast-moving issues, including 30 minutes of addressing audience questions.
Listen to the webcast replay: https://www.advisenltd.com/is-your-cyber-program-ready-for-changing-regulations-and-markets/