Corporate Counsel, Corporate Communications
Just a few years ago the only companies that took the initiative to prove their cybersecurity credentials, generally, were the ones required to by law. However, in the past three years, companies in the SaaS, consumer data and marketing sectors have come under increased pressure to document and certify their information security practices to outsiders.Note: This is the second part in a series of blog posts Alliant will publish on its experiences achieving SOC 2 certification. You can download the entire series here.
Organizations are increasingly evaluating whether they should attempt to become certified or accredited, even if they are not under statutory or contractual obligation to do so. Obviously, organizations that are required to comply with HIPAA or PCI understand the obligations. This year — no matter what sector your company operates in — if you hold consumer information for marketing and/or operating purposes you should consider whether some kind of cybersecurity accreditation would be a worthwhile corporate goal.
The next question concerns the auditing and certification framework that’s right for your company. Management should work with qualified counsel to define critical needs.
However, some basic questions to ask include:
Are we fully compliant with existing legal/contractual requirements such as Dodd-Frank, PCI, HIPPA and GDPR? Are we prepared for upcoming regulations such as CCPA?
Which information assets are critical to the business and warrant security investments?
Which business units handle sensitive or proprietary data that should be audited?
Are our current practices sufficient to obtain certification in all areas?
What reps and warranties concerning data security are our clients and partners likely to require?
What are our risks? Could our organization afford to pay for breach notifications required by law or survive a lawsuit resulting from an unreasonable cybersecurity posture?
There are different standards that focus on the ability of an organization to identify threats, protect itself, detect attacks, respond to incidents, and recover from them. Because these factors are the first line of defense, every cybersecurity standard covers some combination of them.
Alliant chose SOC 2, an accounting standard formulated by the AICPA. Another popular standard is the ISO 27001 framework, which is part of the ISO/IEC family of supply chain quality assurance. ISO/IEC is well-respected internationally. If you are doing business internationally or want to seek EU partnerships, you may want to evaluate the ISO 27000 framework.
Another popular protocol you may want to consider implementing is the NIST Cybersecurity Framework. This standard is published by the federal government and designed to provide easy to use guidance for business and other private organizations.
It is increasingly unreasonable to expect to hold consumer data without having the resources to protect that information. If your company routinely manages data for clients and other third parties, you should absolutely commit resources to assure your place in the secure data supply chain. Data resellers, analytics companies, digital publishers and advertisers, and others that use or rely on consumer data should all be prepared to validate their cybersecurity procedures, even if data is not your company’s primary business function.
Download Full Article
This is the second in a series of blog posts Alliant will publish on its experiences achieving SOC 2 certification. You can download the entire series here.
*This post is provided for informational purposes only and is not legal advice. Each organization should work with qualified counsel to understand its obligations and opportunities for improved data quality and approved certifications.