Compliance Management, Industry Regulations, Vulnerability Management

Remember GDPR? Expect another set of cyber regulations around vulnerabilities

For the first time in its 60-year history, the OECD offered policy guidelines for risk reduction through vulnerability management. Today’s columnists, Rayna Stamboliyska and Tarah Wheeler offer some insights on how the industry will respond.
Credit: OECD / Victor Tonelli

For the first time in its history this past February, the Organization for Economic Cooperation and Development (OECD) offered policy guidelines for digital risk reduction through vulnerability management. We were asked to contribute comments and expertise on how governments and private companies can handle cybersecurity vulnerabilities. Those efforts are part of a stronger dynamic: We see a massive increase in intergovernmental conversations on vulnerability non-proliferation.

We are surprised and gratified to see this sensitive topic in the public sphere so quickly. Organizations should anticipate having to treat these new vulnerability management guidelines as seriously as they treat GDPR. New regulations are on the way, and preparing for them means less “hair-on-fire” running up to deadlines. 

Every organization should have a responsible and accountable program for reducing risk through vulnerability management. The OECD has stepped up to fill a void: We do not see countries rapidly adopting policies to incentivize vulnerability non-proliferation. These regulations are likely to hit organizations as a best practice internationally without a countrywide response filter. There’s no way to eliminate security vulnerabilities completely, so it’s our shared responsibility as a global information security industry to implement approaches to hunt and fix them swiftly. 

The OECD is an intergovernmental organization with the overarching ambition to build prosperity. Its members are nation-states. It does not come naturally for such a group of multi-stakeholders to suggest regulatory guidelines directly to companies instead of filtering through each country's policy framework. In 2021, multinational companies are making their own rules. Country-level guidelines are frequently absent or insufficient, and as a result, companies must ethically defend themselves, initiate vulnerability management programs, and decide whether to pay in ransomware attacks.

Why should organizations pay attention? A seemingly arcane topic, every organization should have vulnerability management as top-of-mind when it comes to managing cyber risk. For American organizations, only the GDPR wake-up call in 2018 compares. Most organizations did not take GDPR seriously until they had a few months to go before implementation in 2018, and then everyone panicked. These guidelines anticipate the impact on global organizations in OECD member countries of vulnerability management regulation.

The sheer fact that the OECD plans to tackle vulnerability management must serve as a new wake-up call. Vulnerability non-proliferation normally gets relegated to a cadré of disheveled hackers, but the cliché no longer holds: Vulnerabilities are ever-present -- and so are organizational responsibilities in this area that previously was not considered part of “prosperity.”

The consequences of not paying attention to vulnerabilities are dire for organizations and individual users alike. Remember the 2014 Sony hack? Attributed to North Korea, the incident transformed into a deeply rooted crisis when cybercriminals started releasing everything from salaries, and emails about movie stars to unfinished film scripts and unreleased film footage.

Organizations should pay more attention to international and country-level guidelines on information security best practices. WannaCry hit public and private entities in early summer 2017. Transportation giant Maersk suffered billions in loss from NotPetya. The ransomware business has continued to grow unabated ever since: Tens of thousands of ransomware incidents happen every week regardless of the country.

Since the end of 2020, we have witnessed the increasing prevalence of coercion through technology. One example has been the Vastaamo data breach in Finland. Vastaamo runs a psychotherapy practice subcontractor to several major public-sector hospital districts in Finland. The sensitive data of more than 40,000 patients, many of whom were children, had been compromised in 2018. When the company refused to pay to avoid the data being publicly released, the cybercriminals started reaching out to individual patients. The cruelty of that blackmail left people reeling in isolation until the information security community – without governmental assistance or acknowledgement – decided to act. Finnish infosec pros organized to track and protect patients from further abuse.

These examples show what happens when no frameworks or incentives for vulnerability management exist on a governmental level when it comes to direct interaction with malevolent cybercriminals.

Cybersecurity has entered the national conversation. Organizations must take responsibility for their technical and information security risk, because countries aren’t doing it fast enough, and organizations are now being provided the guidelines to do it by the OECD. These complex questions about how to identify, mitigate, transfer, and accept risk now are applicable across borders. Start having those conversations now about how the organization will responsibly respond if no country-level guidelines are available. 

Rayna Stamboliyska, vice president of governance and public affairs, YesWeHack; Tarah Wheeler, cyber project fellow, Harvard Kennedy School of Government Belfer Center for Science and International Affairs

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.