Complying with regulations is always an intimidating task for businesses and government organisations. Around the world, recent initiatives that aim to protect sensitive information are creating a new mountain of bureaucracy, making a tough task even harder.
Among the businesses and organisations facing the steepest climbs to compliance today are Australian financial services providers; businesses and organisations subject to the Privacy Act 1988 in Australia; and multinationals that hold data from European citizens.
APRA imposes new FSI compliance requirements
Financial services businesses will need to navigate the difficult terrain of the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234. APRA says the proposed standard, announced on 7 March 2018, will ‘shore up the ability of APRA-regulated entities to repel cyber-adversaries, or respond quickly and effectively in the event of a breach’.
The standard – expected to be implemented from 1 July next year – imposes a long list of requirements on financial services businesses regarding information security responsibility, controls and notifications.
GDPR ‘most important change in 20 years’
Meanwhile, Australian businesses and organisations that hold data from European citizens need to comply with what the European Union describes as ‘the most important change in data privacy regulation in 20 years’.
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location. The GDPR incorporates a range of provisions to protect individuals’ data, including mandatory breach notification; an ability to withdraw consent for processing and disseminating data; and inclusion of data protection at the outset of system design.
Failing to comply with GDPR requirements will be costly. Non-compliant organisations face severe penalties – up to 4% of global turnover or €20 million, whichever is greater. Companies that do not have records in order, fail to notify the supervising authority and data subject about a breach, or do not conduct an impact assessment face fines equivalent to 2% of global turnover.
Data breach notification legislation in force
New data breach notification laws represent one of the most important new compliance requirements for businesses and government organisations in Australia today. These laws, that came into effect in February 2018, require businesses or government agencies with a turnover of $3 million or more (among others) to notify individuals affected by a data breach that is likely to result in serious harm.
State governments are also stepping up the number of regulations designed to improve information security. For example, the Victorian Government has established the Victorian Protective Data Security Framework to establish, monitor and assure the security of information within the government.
Automation key to demonstrating compliance
So how can businesses and government organisations meet these ramped-up governance, risk and compliance obligations? Enhanced coordination, prioritisation and visibility through automation are key.
Many businesses and organisations lack a proper understanding of their risk exposure due to the use of manual processes involving emails and spreadsheets for important activities such as responding to vulnerabilities.
These businesses and organisations are potentially compromising their risk profiles through poor coordination between IT and security; an inability to properly prioritise vulnerabilities for remediation; and an inability to view current vulnerability status. A recent Ponemon Institute survey revealed that:
- 52% of respondents in Australia and New Zealand said their organisation experienced a data breach in the last two years, while 48% of these respondents said one or more of these breaches could have occurred because a patch was available for a known vulnerability but not applied.
- Nearly two thirds (65%) of respondents said their organisations were at a disadvantage in responding to vulnerabilities because they used manual processes; and
- 56% of respondents agreed IT security spent more time navigating manual processes than responding to vulnerabilities – leading to an insurmountable response backlog.
The Enterprise Strategy Group recently found the greatest obstacles to ‘incident response excellence’ were security and IT tool integration and incident response coordination. This comes despite new applications, platforms and databases that enable businesses and organisations to strengthen their risk profiles through automation. These can assist vulnerability visibility and response; connect and provide a single platform for security and IT teams; provide a comprehensive view of vulnerabilities; and assist with remediation priorities.
For businesses and organisations facing a steep climb to regulatory compliance – and the ability to demonstrate that compliance – automated solutions can deliver a unified governance, risk and compliance program supporting real-time risk response. Companies that fail to adopt the tools and technology available to manage governance, risk and compliance will inevitably find themselves falling foul of new regulatory requirements. For those that do, organisations will considerably improve their ability to manage security vulnerabilitis and position themselves for competitive advantage by reducing costs and improving efficiencies.