Cybersecurity and corporate responsibility – It’s time for Regulators to put their foot down

One in four Americans (25 percent) fell victim to information security breaches in the past year, according to a new survey from the AICPA conducted by Harris Poll. This represents a staggering growth from last year’s survey (about 11%)See-

And even more troubling figure is that 86 percent of adults reported some concern in businesses’ ability to safeguard customers’ financial and other personal information. Combine these two statistics and the picture becomes clear- it’s not that people are more lax with securing their online information, this precious information is being stolen from the corporations and organizations that are in charge of safeguarding it. In fact, you don’t even need to own a computer (or a phone) today to be a victim of cybercrime- having a credit card, banking account or health insurance is enough, putting adults in most western societies at risk. Luckily, the regulators are starting to grasp just how serious the situation is, and alter the regulations and laws to amend this. They are working independently throughout the world, and it seems that there are 3 main pillars to their line of thought: 1. Corporate responsibility 2. Breach notification 3. Cyber insurance. In the US, On 16 April 2015, the NAIC Cybersecurity Task Force adopted twelve “guiding principles” for effective cyber security by insurance companies. One of the articles state that “Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded”. In addition, US congress is debating the so-called “Data Security and Breach Notification Act of 2015”, and, if passed into law, it would be the first federal rule requiring businesses to let consumers know that their personal information may be in the hands of hackers. The ‘Big 4 firms’ note that the regulator needs to take action against cyber-crime, as KPMG senior manager Matt White said recently: “I believe it is a dead certainty that regulators everywhere are taking note of the issues around cyber-crime, particularly at asset managers. While the industry has collaborated increasingly on the issue, I think regulators are going to impose rules on reporting cyber-breaches soon. Unfortunately, I do not believe this will be done in a uniform manner but the rules will be fragmented”(

Perhaps the most far reaching means of them all comes from the humble Israeli Supervisor of Banks, who recently issued “Directive 361”, Cyber-security Management, aimed at banks and credit card companies (you can read about this in another post: The directive moves Cybersecurity efforts to the center of bank’s boardrooms and shifts the responsibility directly to the C-suite, with 2 tangible orders: • Banks and credit card companies must appoint a cyber-security manager; • Board of directors’ responsibilities must be defined in the cyber realm These measures (taken after some major breaches have shaken the local banking sector in 2014) will become mandatory towards the end of the year, and it will be interesting to see how banks will adapt to adhere to these strict guidelines. No doubt, the rest of the world will be watching and learning from this experiment, with the hope of bringing some safety to this chaotic cyber world.