Regulatory Compliance: Boards Top Questions for CISOs
This is part four of a four-part series that offers guidance on proactive communication strategies for CISOs, including ways to translate key information and express your actions in executive language, so you can remain focused on the important work of responding to incidents, events and threats equally, in order to mitigate organizational impacts.
So far, we’ve discussed how to talk to your board about cyber risk exposure, cyber risk mitigation plans, and due diligence in the event of an incident. The next logical set of questions you need to be prepared to answer is about cybersecurity regulatory compliance.
As we all know, our businesses are guided by a host of industry and government regulations. The moment you have an incident (or suspect a threat), it triggers an abundance of questions from many different entities around the potential impact on the security and integrity of your data and operations. You need to be prepared to effectively respond to these questions. Let’s look at how to help prepare yourself to answer “ How are we going to reply to regulatory or other compliance inquiries?”
Subtext questions to consider:
- Do any potentially exposed systems process, store, or transmit regulated data?
- If so, who do we need to notify? Have we done so?
- What constitutes due care?
- How should remediation activities be tracked?
Cybersecurity Regulatory Compliance: What Do We Say and When?
From the moment a vulnerability is discovered, regulators will want to know how you assessed and mitigated your attack surface exposure. They will want to know details of your asset inventory, including if you can pinpoint where the vulnerability exists in your environment; what communications occurred; if there was a potential instance of compromise, and if so, was the appropriate regulatory authority notified in a timely manner; what mitigations and remediations were taken, any lessons learned, etc.
In a nutshell, regulators want to understand what existing processes you had in place and what actions you took to minimize the impact on any vulnerable assets. Often, when regulators are involved, it means customers and/or clients are also involved (e.g., their personally identifiable information has been stolen), or there is a potential systemic risk to your industry/sector (e.g., targeted attack on the energy grid). As a result, their inquiries are not something to be afraid of or shy away from—they just need to be responded to thoughtfully and transparently.
This will help minimize any potential for further damage (e.g., to your brand or reputation). If you had an exploit that impacted your organization (and your customers) if you show how you dealt with it—tackled, addressed, and learned from it—it will paint the organization in a better light than if you try to hide it.
Communicating About a Cyber Incident: Know Who to Notify
Some regulations have provisions that dictate when regulated entities need to notify customers and specified third parties in the event of a breach. Sometimes contracts with third parties include notification provisions—they must notify you, or you have to notify them of an instance of exposure. However, you should also notify your crisis triage team, incident response vendor, and external counsel so they can take action.
Having an incident response retainer is becoming almost standard practice, as it can help you demonstrate that you took reasonable steps to protect regulated data from exposure post-incident. In the event there is suspicion of exploitation or compromise, you will want to have the right retainer in place with a forensics and incident response firm, in addition to notifying your external counsel.
It is critical to make sure that all your communication protocols are bulletproof for all of your internal and external constituents. Note, a regulator will not expect you to have instantly remediated or mitigated incidents. What they are looking for is that you have done your due diligence upfront, so you weren't completely under-prepared. They want to know you were able to detect the attack and its impacts in a timely manner and worked with all the right stakeholders to communicate and remediate it.
Succeeding at Incident Response: It's All About Having Solid Relationships
When you are in the middle of dealing with an incident, you will find comfort in your existing relationships with external counsel and your incident response vendor. Reach out now and start building those relationships. Understand their triage processes and get their cell phone numbers. Do this proactively because when you are dealing with an incident, having one of your worst workdays, those strong relationships are going to be your lifeline.
Consider sharing your incident response plan with your incident response vendor and get their thoughts. Bring them into the fold, so when these specialists come in and carry out that full investigation, you understand what they are doing and have some assurances that they can determine what has happened.
You want to be familiar with your retainer—make sure it includes activities that could be necessary for your legal and regulatory compliance obligations. Proactively engage your legal team to make sure you understand your regulatory obligations in different jurisdictions, particularly if you are a multinational company.
Also, you may consider building a relationship with your regulators. Sometimes it’s the regulators who have an advanced understanding of the threat landscape, which could help you prepare for what’s coming. Don’t assume that if data wasn’t stolen, regulators aren’t that interested. They are constantly on the lookout for new threats and exploits. They will probably be interested in what you did about an adversary positioned in your organization with potential access to data, even when there is no evidence that data was taken outside of the organization.
It also gives you a chance to show how you dealt with the threat (e.g., "Well, we took it from that event, and we worked backward, and forward, across the kill chain, to understand what could have happened, and what has happened."), which helps regulators get a better understanding of the robustness of your processes and programs, which could make future dealings smoother.
Check out part four of this series, which looks at how to answer the question, “How are we going to reply to regulatory or other compliance inquiries?”
Learn more about how to talk to your board about cybersecurity regulatory compliance by watching this video:
Get in Touch
Remember to ask for Unit 42 by name with your cyber insurance carriers if you need incident response services.
If you think you may have been impacted by the Log4j vulnerability or any other major attacks, please contact Unit 42 to connect with a team member. The Unit 42 Incident Response team is available 24/7/365. You can also take preventative steps by requesting a Proactive Assessment.