COVID-19 may have slowed down business, but it hasn’t slowed down time. Meeting the deadlines to demonstrate compliance with cybersecurity regulations and certification standards under pandemic conditions is proving to be a challenge for some companies.
A survey of 100 North American CISOs that was conducted last June and whose findings were released on Sept. 15 found that even in the coronavirus era, security professionals are prepping for 3.3 audits on average over the next six to 12 months, as they seek compliance with multiple frameworks and standards, such as those those mandated by aka Health Information Trust Alliance, or HITRUST (51 percent of respondents), HIPAA (45 percent), the Payment Card Industry (41 percent) and the California Consumer Privacy Act aka CCPA (41 percent).
And yet, as they circle these dates on the calendar, CISOs must contend with inadequate tools, budgets and manpower. Among the CISOs participating in the survey, commissioned by automated cloud compliance company Shujinko, two-thirds said they dislike their current audit preparation toolsets. Asked how the audit preparation process could be improved, respondents cited better automation, communication and collaboration as their top three preferences.
“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO and co-founder. “Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility.”
Other experts in the field agree that companies are scrambling to meet cyber audit compliance deadlines due to complications from COVID-19. For starters, the pandemic diverted CISOs’ attention as they scrambled to convert operations to a work-from-home model. And secondly, the sudden proliferation of new WFH tools and infrastructure potentially introduced a new slate of non-compliance risks.
Under these strained conditions, businesses are at risk of security control degradation, warned Jeremy Huval, chief compliance officer at HITRUST. What’s more, he added, introducing significant changes to one’s business in light of COVID-19 could actually trigger additional scrutiny, because “many security and privacy regulations and frameworks require organizations to perform risk assessments not only at a set frequency, but also when significant changes occur.”
Of particular concern, said Huval, are manual controls, “which are inherently at a greater risk of being overlooked or jettisoned altogether than their automated counterparts.” But sources of non-compliance could also come from “systems implemented and capabilities established under duress”, because they were installed with a “we-need-it mindset more than the we-need-to-secure it mindset.”
“Yes, COVID-19 has certainly caused delays amongst organizations actively involved in HITRUST assessment activities,” said Andrew Hicks, vice president of risk assurance and national HITRUST practice lead at Frazier and Deeter, LLC. “These delays have largely been reduced over the past two-to-three months since organizations have now discovered alternative ways to perform remote assessment activities, but at the COVID-19 onset back in March, assessment activities were crippled as organizations, and their control owners, worked to modify their business operations to support a 100 percent remote workforce.”
“Relative to HITRUST, organizations have annual requirements that could be in jeopardy should they not be able to complete their required maintenance and/or re-certification requirements,” Hicks added.
Paul Breitbarth, director, policy and strategy at TrustArc, agreed that the sudden switch to work-from-home operations changed the game for a lot of organizations, and “caused a re-prioritization of efforts of compliance departments: assessing working-from-home and web conferencing tools, implementing additional security like VPNs, etc. This will have taken attention away from ongoing, regular compliance efforts.”
Working remotely also makes cooperation and collaboration within an organization “slower and more complex,” he added, “especially when brainstorms are required to find creative solutions for compliance challenges.”
Dr. Zulfikar Ramzan, chief digital officer at RSA, said a particularly tricky compliance challenge for businesses under COVID-19 is how to efficiently respond to data subject access requests (DSARs) from individuals who demand to know how their data is being stored and managed.
“Responding to DSARs requires some coordination among multiple parties. A distributed and remote workforce only serves to exacerbate the situation,” said Ramzan. “Compounding the challenge, organizations often have a limited time window to respond.”
Under the EU General Data Protection Regulation (GDPR), DSARs generally must be answered within one month, while the CCPA gives 45 days.
There are, of course, consequences for lapses in compliance, including costly financial penalties imposed by government regulators or loss of certification, which is expensive to win back.
Organizations “know all too well that while achieving an information protection certification is hard, losing one can be harder,” said Huval. “Losing such a certification means more than just pulling a stamp from marketing materials and updating the website – as it can sow doubt in the minds of customers and other stakeholders. To many, demonstrable security and privacy assurances are a prerequisite of doing business.”
But Breitbarth doesn’t think most companies will allow themselves to lose certification status. “That could not only be a costly affair – re-certification is generally less costly than initial certification – but would also cause other problems, especially in B2B relations, [as] many organizations ask for certifications as part of security arrangements.”
Don’t expect leniency from standards bodies
Certification bodies and regulatory agencies are unlikely to overlook or make exceptions for compliance violations and failed audits. Even if COVID-19 is a viable excuse, there is little wiggle room or leeway for error.
“Be wary of any assurance mechanisms based on loosened standards,” said Huval. “Certifications and assurance reports have value only in their reliability, not through how flexible the certification body is. Loosening of requirements undermines the value of certifications and assurance reports, and happens at the expense of the relying parties.”
“Similarly, it is not advisable to rely on assurance reports from certification bodies offering blanket extensions to a certification validity period,” Huvan added. “Scribbling out the expiration date on a milk carton and writing a new one doesn’t make the milk inside expire any slower.”
With that in mind, “HITRUST made the decision to not universally waive HITRUST Assurance Program timing requirements, as doing so goes against the overall integrity of our assurance program and the reliability of HITRUST CSF [Common Security Framework] Certifications. We did, however, act quickly to communicate assessment options that helped meet market needs while still maintaining our aforementioned integrity and reliability.”
To help ease the burden on health care organizations, HITRUST has waived its requirement to conduct on-premises validated certification assessments, allowing for remote assessment instead. And in April the company introduced its “Bridge Certificate” as a temporary solution for organizations that can’t meet re-certification deadlines by demonstrating that its scoped control environment hasn’t degraded and is unlikely to until the certificate expires in 90 days.
Organizations that lose HITRUST CSF certification may be unable to meet certain of its contractual obligations or participate in health information-sharing activities, HITRUST notes.
Troy Leach, senior vice president and engagement officer for market intelligence and stakeholder engagement at the PCI Security Standards Council (PCISSC) – which develops payment industry standards but doesn’t enforce them – said his organization has instituted its own measures to help. PCISSC created a webpage offering resources and announcements designed to help organizations maintain security practices during the pandemic.
“We are certainly living in unprecedented times,” said Leach. “Our mission is to listen and collaborate with the global payment industry and provide guidance, standards and programs that remain relevant to help secure payment data.”
In response to the pandemic, PCISSC is “providing reassessment extensions to qualifying for P2PE [Point-to-Point Encryption] solutions, revising dates for key block implementations, and extending the expiration date for rollout of PIN Transaction Security Point-of-Interaction (PTS POI) version 3 devices,” said Leach, noting the PCISSC’s COVID-19 page also contains guidance on performing remote compliance assessments.
A few global standards bodies have been a bit more forgiving. The Irish Data Protection Commission in March said it understood that DSARs would be difficult for organizations to meet on time. And while timelines for response as dictated by GDPR can’t be changed, the agency did say it would consider extenuating circumstances related to COVID-19 when complaints are filed.
Also in March, The Dutch Data Protection Authority (AP) said that on a case-by-case basis it would extend the deadline for organizations to respond to inquiries from the regulator.
Brazil also recently postponed the enforcement of the Brazilian General Data Protection Law, or LGPD, until August 2021 – but the law itself has nevertheless taken effect any individuals whose privacy is violated could still seek remedies once the enforcement date arrives.
On the flip side, some standards enforcement will actually get stricter, “given the higher risks of unlawful data processing, for example, through the collection of health data of employees before they can return to work,” said Breitbarth, adding that “specific COVID-19 related enforcement action has likely been initiated by multiple regulatory bodies.”
There’s no magic formula – just get to work
If hoping for a bailout from standards bodies is unrealistic, then all that’s left is for organizations to get to work – and hopefully they’ve already gotten started.
Huval said companies should start asking relevant questions about the “people, process and technology changes brought about in response to the pandemic,” including what the risks are with a remote workforce and if controls are in place to mitigate them.
“To be honest, there are no quick solutions to compliance,” said Breitbarth. “It is not just a tick-box exercise – it requires actual work on an ongoing basis… What companies should be aiming for is ongoing compliance, by building out an accountable privacy compliance program, with regular reviews and, where needed, updates of segments of the program. That way, even if something like COVID-19 happens, you have a program that you can rely upon.”
Breitbarth continued: “For companies that have not yet built out a full privacy compliance program, it would be recommended to start with a gap assessment: which are the legal requirements that they need to comply with, and what are the policies and procedures already in place. Once that is done, they can start developing a remediation program to fill any gaps, including a planning.
Ramzan agreed that the road compliance isn’t easy. “There’s no privacy and cybersecurity pixie dust that can be sprinkled on top of organizations to ease their woes. To have effective programs around privacy and data security, organizations must introduce these elements early on and create the right foundations,” he said.
“At the heart of these efforts is an understanding of data pipelines and information flows. Companies should create a data flow and governance architecture that facilitates the implementation of effective privacy, cybersecurity, and risk controls. Organizations will need to have effective measures to lower the chances of a material cybersecurity or data privacy incident, and they will need ways to prove to others that they have implemented the right measures. Data security and privacy programs are deliberate efforts, they cannot be divined out of thin air.”