On February 2, NetSPI Managing Director Ron Kurisack was featured in the SecurityWeek article called Cyber Insights 2023 | Regulations. Read the preview below or view it online.
SecurityWeek Cyber Insights 2023 | Regulations – In this world, nothing is certain but death, taxes, and cyber regulations. The first is static, the second goes up and down, but the third seems only to increase. The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often in conflict with the second and third.
Transatlantic data flows
Privacy is the headline battleground going forward, and amply illustrates the conflict between voter demands and national economies. This can be seen in the unsettled but multi-year attempt to find a legal solution to the transfer of personal user data from Europe to the US. Economics demands it, but European law (GDPR) and swathes of European public opinion deny it.
At the time of writing, it is almost certainly illegal to transfer PII from Europe to the US. The Privacy Shield – the second attempt at finding a workaround to GDPR – was declared illegal in what is known as the Schrems II court ruling. The wording of that ruling almost certainly eliminates an alternative approach known as ‘standard contractual clauses’.
During 2022, the European Commission (EC) and the US Biden administration have worked on developing a replacement for Privacy Shield. The ball was obviously in the US court, and on October 7, 2022, Biden issued an Executive Order to implement the EU-US Data Privacy Framework agreement – sometimes known as Privacy Shield 2.0.
This was enthusiastically greeted by US business. IBM, for example, issued a statement, “These steps will restore certainty to the thousands of companies already self-certified under Privacy Shield. Providing predictable, free flows of data between the US and the EU will secure the mutual benefits of continued business cooperation and will create a foundation for future economic growth.”
Martin Zinaich, CISO at the City of Tampa, once suggested to SecurityWeek, “If it ain’t required, it ain’t gonna happen.” We may have reached the point, with better organized cybercriminals and more aggressive nation states, where it must happen and therefore must be required.
Ron Kuriscak, MD at NetSPI, certainly believes so. “Regulations need to become much more mature, stringent, and punitive. We must hold organizations more accountable for their inaction in the area of cybersecurity… Organizations will be held accountable for basic cybersecurity hygiene. If they are unable to meet the most basic standards a regulator will require a third party to take over cybersecurity program execution (they will be mandated to cover the associated costs). Similar to the FDA, we will start seeing industry-aligned compliance regulations with real penalties that will force real compliance and organizational change. The key will be enforcement and penalties.”
Read the full article at SecurityWeek!