We talk about how countries around the world are in the throes of implementing their own versions of the General Data Protection Regulation (GDPR). That includes the spread of California Consumer Privacy Act (CCPA)-like regulation from California to other US states, but also similar standards set to come in regions as diverse as Africa and China.
Also, Gorge, talks about the need for “cyber accountability” at C-suite level and how organisations can achieve it.
Antony Adshead: Where did we end up in 2021 with regard to compliance, regulations and standards, and what can we expect in 2022?
Mathieu Gorge: 2021 was an incredibly busy year with regard to new regulation and updates to standards and frameworks.
Some of the more important changes include those that were essentially implemented by the new Biden administration. We’ve seen executive orders, not just on critical infrastructure protection, but also we’ve seen a push from the administration for more privacy regulation and we know they’re looking at an equivalent of GDPR in the US, from a CCPA perspective. The idea would be to have the equivalent of CCPA throughout the US at a federal level.
It’s worth noting that it’s not the first administration trying to do that, but they’re really trying to push for it. In the meantime, some states like Virginia pushed out their own equivalent of CCPA, and we know there are another five or six states doing that.
Meanwhile, at the end of last year in China, the new privacy regulation came out, and what’s really interesting in that, from a data privacy perspective, is that it has some level of extra-territoriality like GDPR. So, in other words, it could apply to you even though you’re not in China. We’re not quite sure how it’s going to be implemented just yet, so there haven’t been any fines around it, but that’s something we definitely need to look into.
We saw a lot of activity in Africa, specifically sub-Sahara, with Kenya, Ghana and South Africa specifically rolling out another privacy regulation.
We’re seeing a kind of convergence. Everyone seems to have learned from GDPR and the basics of protecting the data in the first place, understanding what the data is, where you store it, where you can and can’t transfer it.
I expect we’re going to see a lot more of that in 2022. From a standards perspective, we will have PCI DSS 4.0 rolled out over the next two years, so that’s a major change again with regards to payment security and data storage for payments.
We’re going to have to watch that space. I expect it’s going to be a very busy year and companies will be asked to demonstrate that they are accountable for keeping the data safe.
That’s the concept of cyber accountability that I think we should talk about.
Antony Adshead: What is cyber accountability and what steps can organisations take to achieve it?
Mathieu Gorge: Cyber accountability … is essentially the idea that a company and its principals – the key decision-makers, shareholders, the C-suite, the board of directors – need to be able to demonstrate they know where a transaction originated from, who allowed it and what it actually meant for the data. Was the data changed, was it manipulated, was it stolen, did it leak out of the enterprise, or whatever?
And so that concept of cyber accountability means an organisation needs to be able to demonstrate at any given time that they take cyber compliance seriously, they put the right technical measures in place, the right policies and procedures, the right training and can demonstrate where they are in compliance and where they are not, and that they have a clear roadmap towards compliance that is timely and efficient.
The challenge that we have right now is that when we get into the boardroom, when you talk to the C-suite about cyber accountability, you are faced with what I call the five stages of cyber accountability grief.
The first stage is denial. “It doesn’t apply to us, we’re here to build the company, grow employment, to generate profits for the shareholders – don’t bother us with cyber!”
The next stage is anger. “We’ve given you money to hire a CISO, a compliance officer, put firewalls in place, to train people. Go and talk to the compliance people; they’ll look after you.”
Then comes the bargaining stage. “We can see our competitors are being audited by the regulators, we can see other people have been hacked. So, maybe we should hire a big firm to come in and do an assessment and that’ll be us off the hook.”
That’s a good start, to get some external help but it doesn’t give you a get-out-of-jail card.
Then comes the depression stage. “We really need to do something. How are we going to do it?”
Cyber accountability is really about that concept of security being a journey and not a destination.
I cover all those topics in my book – The cyber-elephant in the boardroom – in more detail, but in a nutshell what this means is not rocket science.
Cyber risk is just an additional business risk that the board can deal with, because the board deals with risk day-in, day-out: financial, HR, reputation, M&A, growth. They deal with risk all the time.
What we need to do as an industry is simplify the message and explain to them why they need to have cyber accountability and how they can put it in place. And that definitely touches on making sure you’re compliant, making sure you only store the right information at the right time in the right circumstances, and that you have a system to demonstrate that you do that.
I would expect that, with all of those new regulations out there, we’re going to see a lot more C-level people and board-level directors being held accountable in the public domain for cyber and compliance. I think 2022 is going to be a turning point on that front.