We’ve moved on from the incident response phase and are now firmly in the compliance game, especially when looking at supply chain risk. Has your Risk/Compliance team got to grips with this yet?…:
[…] Although CISA has provided guidance on open-source tools that are available to private- and public-sector companies to detect potentially malicious activity, the damage has been done. It’s at this point in which a cyber-attack—no matter how massive or small—becomes a compliance problem.
With the SolarWinds hack, a key question on the minds of many companies is, “‘If SolarWinds is something our vendor uses, does this vulnerability become ours?’ I would say absolutely,” Sam Abadir, director of industry solutions at NAVEX Global, said during a recent Webinar. The same answer applies to third parties who use Microsoft cloud software that may now be compromised.
From a regulatory compliance standpoint, data loss or exposure in the network opens a company up to potentially heavy fines resulting from violations of data privacy laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA). From an enforcement and brand perspective, the bottom line is this: Enforcement authorities, clients, customers, patients—nobody is going to care whether the data was exposed by a third party, they’re just going to care that it was exposed.