Many clients are in regulated industries with specific data security requirements.  They often believe that they are fully compliant with these obligations, especially if they outsource IT infrastructure to Software as a Service (SaaS) providers that specialized in servicing their industry.  These SaaS providers often make representations that their services are compliant with the regulatory requirements.

Unfortunately, this is often not the case.  Most security regulations require some sort of management function, and fully outsourcing the technical aspects of data security is not sufficient.  Even for those clients that are fully compliant, the regulatory investigation into a breach may cause more disruption and more costs than the breach itself.

You Can’t Outsource Security

Lots of vendors offer some sort of compliance solution in a box as part of the increased use of Software as a Service.  These solutions are often great; the cost to implement security measures through SaaS can be significantly less costly (in both money and effort) than doing so internally.  However, they are never a full solution.

Most organizations cobble several of these solutions together, and there can be gaps in between.  There is also always a human element that needs to be addressed.  Finally, an organization can outsource the work but not the responsibility; executive leadership still needs to direct cybersecurity efforts.

It is important for organizations to understand everywhere they have sensitive data.  It is also critical to make sure everyone who may have access to that sensitive data is properly trained on security procedures and risks.

Regulatory Investigation is Expensive

Even if an organization avoids penalties after a data breach, the investigation alone can be more expensive than the breach itself.

Many regulators will request extensive documentation related to both the incident and the organization’s cybersecurity program.  Haphazardly producing documents creates significant risk of an enforcement action, so the organization will need to carefully review responsive documents and work to create the proper context around them.  Regulators are also overburdened, so they take longer to resolve investigations than many organizations would like.

Even a relatively inconsequential breach can lead to a significant regulator inquiry if not handled correctly.

Be Proactive with Regulators

All regulators have specific things that concern them.  Addressing those concerns proactively can reduce regulator interest in a particular breach.  If an organization can show that it is being responsible in remediating a breach without regulator direction and that remediation addresses long standing regulator concerns, an otherwise painful investigation can be concluded relatively quickly.

Conclusion

Organizations, especially in regulated industries, need to be aware of their obligations.  This goes beyond passing the buck to a vendor.  Instead, management should ensure that it if fully informed of what the organization is doing to meet its obligations, including training and risk management.  A proactive organization will understand the specific threats that concern its regulator and address those threats directly.