Cybersecurity may often be an afterthought at your brokerage or business, but ensuring your team’s safety is not only ethical but soon-to-be a necessity by law.
In an Aug. 29 article, Harvard Business Review reported that cybersecurity regulations are coming. Instead of just abiding by the recommended actions, businesses will be responsible for taking care of security risks.
Last year, 36 states enacted new cybersecurity legislation. Most of that legislation deals with privacy; however, reporting threats is also covered in some legislation, and as we learn how to deal with threats, more rules are coming.
Right now, most cybersecurity threats are not required to be reported unless private information like names and credit card numbers are stolen. That’s why you hear about companies falling victim to huge ransomware attacks after the fact instead of while the attack is ongoing.
The Republican Policy Committee reports that fewer than 25% of data breaches are reported. The average length of time it takes to identify and contain a breach is 287 days. The average ransomware breach is $4.6 million and 80% of breaches are discovered and disclosed by an external party. Other organizations say the number is smaller, but what’s clear is no one knows exactly how much is at risk rat this time, and states are telling businesses that has to change.
Right now companies need to get proactive.
Companies subject to SEC regulations need to make sure they have processes and procedures in place to address breaches quickly. Quickly is where many companies are falling down on the job.
Ransomware policies need to be up to date. Some states are making it illegal to pay ransomware attackers. Harvard Business Review tells companies to look at their ransomware policies to see if changes to current cyber insurance policies need to be addressed.
Make sure you have a ‘Software Bill of Materials’ with properly vetted sources for software and software bundles. Not knowing you introduced a vulnerability won’t be an excuse. Companies need to know.
States are telling businesses they need to get their cybersecurity houses in order. Governments both local and abroad are moving in a direction that will place blame squarely on business owner shoulders if the vulnerabilities are not addressed.