How to Be Compliant in 2018

2017 saw an inordinate number of cybersecurity breaches take place, and the aim in 2018 will be ensure that you are compliant with many of the new compliance regulations coming into effect. 2017’s biggest security breaches include the Equifax breach, state-sponsored attacks, Russian manipulation of social media, WannaCry, and innumerable phishing scams. Security was compromised at every level, and something needs to change in 2018.

Many CIO’s and top security experts predict that attackers in 2018 will be smarter, breaches will be bigger and security teams and budgets will struggle to keep pace.

There is reason to be optimistic, though.

Things may well get worse before they get better, but I believe we will see real progress in 2018. This is mainly down to the changing landscape of compliance, that is putting security at the forefront of many people’s minds. With that being said, let’s take a look at some of the key things that are likely to affect compliance in 2018

1. HITECH: A potential game changer

The healthcare sector was hit particularly hard in 2017, with numerous healthcare organizations and hospitals affected by data breaches and ransomware attacks. If we dig deeper, the consensus view is that HIPAA had not been rigorously enforced in the past. This is likely to change with the HITECH act:

• In 2018, the HITECH act anticipates a massive expansion of Electronic Protected Health Information (ePHI) while widening the scope of privacy and security protection available under HIPAA. The act also emphasizes the potential legal liability for non-compliance by healthcare organizations, throughout the USA.
• Other HITECH requirements include PHI safety, digitization and sharing information electronically with patients and doctors across the USA.
• The ultimate goal of HITECH is to promote the use of secure, interoperable Electronic Health Records throughout the U.S. in three stages:
  Stage 1 – The core objectives include measures to increase medical quality, deploying and securing Electronic Health Records.
  Stage 2 – Emphasizing on electronic security, encryption, and security risk analysis. Security updates are specifically mandated to Protect Patient Health Information.
  Stage 3 – Stage 3 is still being ironed out.
  Non-compliance with HITECH
  Civil penalties for willful neglect will be enforced more strongly. These penalties can extend up to $250,000, and with fines for repetitive violations potentially reaching $1.5 million.

2. Updates on PCI DSS 3.2

Another talked-about update in the world of compliance is the PCI 3.2 update, which will be mandatory from February 1st 2018. This new update will affect all merchants and service providers who accept credit card payments; including MasterCard, Visa, Discover and American Express. The main objective is to strengthen the security landscape for consumers against the cyber-attackers and hackers. The new standards provide comprehensive information designed to reduce risks from cyber intruders and safeguard the personal and account information of customers.

Following are the latest updates on PCI DSS 3.2 to prevent security breaches:

• Multiple authentication factors for CDE (Cardholder Data Environment)
• Periodic reporting and detection of system failures
• Response to security incidents on an immediate basis
• Changes in wording – Displaying only first six digits and last four digits of a credit card number or PAN number
• Encryption architecture documentation – use of protocols, keys, and algorithms to protect cardholder data
• Verifying requirements of PCI DSS on new and modified networks
• Security policy reviewed every three months
• Tests for constant intrusions conducted every six months
• Maintain quarterly review documentation

All these changes serve to protect your company, cover financial institutions as well as your valued customers. If you are not PCI compliant at the moment, you haven’t got long to fix it!

3. A tight grip on MiFID II Regulations

Lately, financial markets have witnessed an unprecedented growth in threat levels, leading to multiple high profile cyber-attacks. To combat this, an increased strictness on regulatory compliances, especially MiFID II, could be the answer.

The MiFID (Markets in Financial Instruments Directive) is applicable across the European Union and has been since 2007. It is a cornerstone of the EU’s goal of seeking to create a single market for investment activities and services. It also ensures a high degree of protection for investors in financial markets. MiFID II Regulation guidelines states:

• Extending the transparency of exchange-traded instruments to virtually all OTC markets.
• Strengthening investor protection and increasing market probity through stronger regulatory oversight.

4. GDPR is finally here

The most-awaited compliance – the General Data Protection Regulation (GDPR) – is now only a few months away. It’s a broad and all-encompassing data privacy blanket covering all European Union citizens. Some of the GDPR requirements include gaining consent to process personal data, notifying authorities and individuals of data breaches on time, and ensuring individuals’ have access to data, legitimately. Other GDPR best practices include – assessing existing processes, preparing for breaches, using the latest technology to fill gaps, and tracking certified admins.

Non-compliance with GDPR

Companies face potentially huge penalties for non-compliance; fines up to 4% of annual company turnover or $21.6 million, whichever is greater.

5. The Fundamental Review of the Trading Book

The FRTB regulation will be an all new entry in the compliances sector, with a provisional deadline in 2019. FRTB addresses market risks using strict practices which are globally accepted and covers equity, rates, credit and commodity asset classes. Non-compliance with this regulation can have serious implications for the security of market-related products.

Planning for the worst

If you have not already initiated and formulated a security plan for when you suffer a ransomware attack or a breach, I suggest you do it now. Let’s learn from the mistake of Equifax, Yahoo and numerous others. If you need any help ensuring that you are able to meet these numerous compliance challenges, then contact us.