COVID-19 may have slowed down business, but it hasn’t slowed down time. Meeting the deadlines to demonstrate compliance with cybersecurity regulations and certification standards under pandemic conditions is proving to be a challenge for some companies.
A survey of 100 North American CISOs that was conducted last June and whose findings were released on Sept. 15 found that even in the coronavirus era, security professionals are prepping for 3.3 audits on average over the next six to 12 months, as they seek compliance with multiple frameworks and standards, such as those those mandated by aka Health Information Trust Alliance, or HITRUST (51 percent of respondents), HIPAA (45 percent), the Payment Card Industry (41 percent) and the California Consumer Privacy Act aka CCPA (41 percent).
And yet, as they circle these dates on the calendar, CISOs must contend with inadequate tools, budgets and manpower. Among the CISOs participating in the survey, commissioned by automated cloud compliance company Shujinko, two-thirds said they dislike their current audit preparation toolsets. Asked how the audit preparation process could be improved, respondents cited better automation, communication and collaboration as their top three preferences.
“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO and co-founder. “Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility.”
Other experts in the field agree that companies are scrambling to meet cyber audit compliance deadlines due to complications from COVID-19. For starters, the pandemic diverted CISOs’ attention as they scrambled to convert operations to a work-from-home model. And secondly, the sudden proliferation of new WFH tools and infrastructure potentially introduced a new slate of non-compliance risks.
Under these strained conditions, businesses are at risk of security control degradation, warned Jeremy Huval, chief compliance officer at HITRUST. What’s more, he added, introducing significant changes to one’s business in light of COVID-19 could actually trigger additional scrutiny, because “many security and privacy regulations and frameworks require organizations to perform risk assessments not only at a set frequency, but also when significant changes occur.”
Of particular concern, said Huval, are manual controls, “which are inherently at a greater risk of being overlooked or jettisoned altogether than their automated counterparts.” But sources of non-compliance could also come from “systems implemented and capabilities established under duress”, because they were installed with a “we-need-it mindset more than the we-need-to-secure it mindset.”
“Yes, COVID-19 has certainly caused delays amongst organizations actively involved in HITRUST assessment activities,” said Andrew Hicks, vice president of risk assurance and national HITRUST practice lead at Frazier and Deeter, LLC. “These delays have largely been reduced over the past two-to-three months since organizations have now discovered alternative ways to perform remote assessment activities, but at the COVID-19 onset back in March, assessment activities were crippled as organizations, and their control owners, worked to modify their business operations to support a 100 percent remote workforce.”
“Relative to HITRUST, organizations have annual requirements that could be in jeopardy should they not be able to complete their required maintenance and/or re-certification requirements,” Hicks added.
Paul Breitbarth, director, policy and strategy at TrustArc, agreed that the sudden switch to work-from-home operations changed the game for a lot of organizations, and “caused a re-prioritization of efforts of compliance departments: assessing working-from-home and web conferencing tools, implementing additional security like VPNs, etc. This will have taken attention away from ongoing, regular compliance efforts.”
Working remotely also makes cooperation and collaboration within an organization “slower and more complex,” he added, “especially when brainstorms are required to find creative solutions for compliance challenges.”
Dr. Zulfikar Ramzan, chief digital officer at RSA, said a particularly tricky compliance challenge for businesses under COVID-19 is how to efficiently respond to data subject access requests (DSARs) from individuals who demand to know how their data is being stored and managed.
“Responding to DSARs requires some coordination among multiple parties. A distributed and remote workforce only serves to exacerbate the situation,” said Ramzan. “Compounding the challenge, organizations often have a limited time window to respond.”
Under the EU General Data Protection Regulation (GDPR), DSARs generally must be answered within one month, while the CCPA gives 45 days.
There are, of course, consequences for lapses in compliance, including costly financial penalties imposed by government regulators or loss of certification, which is expensive to win back.
Organizations “know all too well that while achieving an information protection certification is hard, losing one can be harder,” said Huval. “Losing such a certification means more than just pulling a stamp from marketing materials and updating the website – as it can sow doubt in the minds of customers and other stakeholders. To many, demonstrable security and privacy assurances are a prerequisite of doing business.”
But Breitbarth doesn’t think most companies will allow themselves to lose certification status. “That could not only be a costly affair – re-certification is generally less costly than initial certification – but would also cause other problems, especially in B2B relations, [as] many organizations ask for certifications as part of security arrangements.”
Don’t expect leniency from standards bodies…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
