For regulators, cybersecurity must be more than just site visits and questionnaires

Hardly a week goes by without a headline-grabbing cyberattack on a bank, retailer, health insurer, government agency or political campaign.

The hacking surge has cast a harsh light on America's cybersecurity preparedness and forced the public and private sectors to respond to a growing and evolving threat.


As organizations enhance their own defenses, federal regulators in critical industries such as financial services, healthcare and energy are also becoming more involved, examining companies' security infrastructure and policies and enforcing cybersecurity readiness.

But are these regulatory efforts working? What more should regulators be doing?

There has been a flurry of regulatory activity in recent months, including some great personnel moves.

In June, the Securities and Exchange Commission (SEC) announced the appointment of Christopher Hetner, the former cybersecurity chief at Ernst & Young and GE Capital, as senior adviser on cybersecurity to SEC Chair Mary Jo White. By creating the new position and hiring a big gun from the private sector, the commission demonstrated its seriousness in addressing security policy, engaging with external stakeholders and improving the SEC's efforts to reduce risk.

Also in June, the Federal Energy Regulatory Commission issued new rules directing the North American Electric Reliability Corporation, the regulatory authority responsible for assuring the reliability of North America's power grid, to develop new standards covering key security areas such as third-party vendor risk management and software patch integrity.

And, after a long delay, the Department of Health and Human Services' Office for Civil Rights recently instituted a new cybersecurity audit program for healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA).

While these are solid and encouraging moves, regulatory agencies might also consider others that could fundamentally improve cybersecurity enforcement.

One has to do with the fact that regulatory bodies still rely on a rather old-fashioned technique for assessing compliance in cybersecurity (and really any area): having an examiner visit an organization's site and ask questions, or require the organization to fill out questionnaires.

This kind of "point-in-time" monitoring certainly has its value, but too easily can be a once-a-year bureaucratic exercise that provides only a snapshot of an enterprise's cybersecurity health. These exercises are quite financially burdensome for the regulated entities to comply with, and budget-strapped agencies are also hard-pressed to stay on schedule with the assessments.

Regulatory agencies, fortunately, are looking at new commercially available technologies that provide critical cybersecurity performance data in a continuous fashion. This information would enhance the existing process with new insight into cybersecurity performance, potentially freeing up time and resources for assessors and regulated entities alike.

It's wise for regulators to include third-party cyber risk management as a key part of their cybersecurity enforcement agenda in the wake of infamous breaches such as the theft of the confidential data of tens of millions of Target customers during the height of the 2013 holiday shopping season, and a server breach at the U.S. Office of Personnel Management that compromised sensitive personal information of about 21.5 million people.

In both cases, the hackers gained access via an unsuspecting third party: a heating and air conditioning subcontractor that had worked at a number of Target locations and an OPM contractor.

Regulators might look to the successful implementation of third-party risk management programs in the financial sector for a blueprint for how to approach this issue in their own sectors.

In fact, regulators should put a priority on sharing information and best practices across the government. Better cybersecurity happens through a coordinated strategy rather than siloed approaches.

The Federal Financial Institution Examination Council, an interagency body that includes five banking regulators and is charged with promoting uniformity in the supervision of financial institutions, is a good example of an entity that can play a role in pushing for consistent cybersecurity standards.

The Obama administration has had a working group made up of regulators across a variety of sectors responsible for cybersecurity oversight to discuss key issues and share information. There are many best practices to share between these groups and it would be a good idea for that group to become more active, either now or in the incoming administration.

It's become imperative for regulators to put their best foot forward in helping reduce cybersecurity risk. Compliance can no longer be just a box-checking exercise, but should leverage the latest technology and thinking for a modern approach to thwarting hackers.

Olcott is vice president of business development at BitSight, which provides companies with objective, evidence-based security ratings.

The views expressed by contributors are their own and not the views of The Hill.