Regulatory Security Compliance

Over the past years, I have been working for several large French companies whom all had faced at some point, the troublesome journey of regulatory security compliance.

Surely, the driving force of laws and regulations related to the protection of sensitive information, such as personal data and financial information, translates somehow into entities managing the information systems for the Head Office.

Would these entities be carried away by an increased sense of risk exposure fueled with the relentless breadth of ever-spawning cutting-edge technologies?

Or the fear of the potential ruin and damages both financially and reputation wise, stemming from the leak of such sensitive information?

I let the reader make up its own mind but I believe another path may lie somewhere, less driven by fear of consequences or mind-numbing law-abiding behavior.

Let’s take a look.

Looking back in the rear view mirror

The rise of regulatory security frameworks can be attributed to several major events and factors, including:

1. The string of Data Breaches occurences which have affected a significant amount of companies around the globle (e.g. Equifax in 2017 and the exposure of personal information of 143 million customers, including Social Security numbers, birth dates, and addresses).
2. The growing threat of Cyber Attacks and the potential for significant economic and national security impacts (e.g. in 2017, a ransomware attack known as WannaCry affected more than 200,000 computers in 150 countries, causing widespread disruption and significant financial losses.)
3. The increasing Economic Costs of information systems failure: in 2012, a software glitch at Knight Capital caused the firm to accidentally execute trades worth $440 million in just 45 minutes, resulting in a $461 million loss.
4. The vast amount of personal information shared online has led to multiple incidents against Data Privacy (e.g. in 2018, Cambridge Analytica, a political consulting firm, had harvested the personal data of millions of Facebook users without their consent and used it for targeted political advertising during the 2016 US presidential campaign).
5. Governments have Legal Obligation to protect their citizens from harm and risk of fraud (e.g.: In 2013, it was revealed that the National Security Agency (NSA) had been secretly collecting data on U.S citizens through a program called PRISM).

Development of Industry Standards and best practices has also played a role. It is widely acknowledged that standardization encapsulates the best of collective experiences and highlights the pitfalls that should be avoided.

Many of the most prominent regulatory frameworks are built upon industry standards as a way to ensure that organizations have the necessary controls and processes in place to meet regulatory requirements.

For example, the Payment Card Industry Data Security Standards (PCI DSS) is a set of standards developed by the payment card industry to ensure the security of cardholder data.

However, there is a thin line between Conformance and Security which I will dig into in the hope that it will clear the way towards to compliance.

See you soon!

Cybersecurity act, Dora, EIOPA