[00:00:00] Stan Wisseman: Hello, everyone. Welcome to another episode of Reimagining Cyber. This is Stan Wisseman. I'm here with Rob Aragao, my co host. And Rob, I ping my kids periodically to say, Hey, are you, are you listening to the podcast? You know, cause I, I know they occasionally listen and I was surprised that my daughter had listened to the NIS 2.episode directive episode that we did right before the break and she's she really liked it. And I, I was kind of mystified in the sense that, okay, this was kind of a dry topping in some ways, because it's about a cybersecurity regulation. She's not in the in cybersecurity at all. What did you like about it?
[00:00:38] It's like, well, he had a really cool accent. It's like, okay, but it, it, it is, it sort of is a good prompt for us to realize that regulations are important. You know, I, I, I think that it. We believe they're reactive in nature, right? Because you, you have regulations many times as a result of recognizing that you need to [00:01:00] do something in, in, in, in, in the context of a threat, right?
[00:01:04] Rob Aragao: Well in the context of a threat, in the context of because of this regulation and because of the associated penalties and fines, and I need to prepare myself for the audit that's coming. I, therefore, will go ahead and spend and, you know, put some potential controls in place to help me avoid those penalties, those fines as well.
[00:01:21] Stan Wisseman: Well, and, and let's face it, the main goal of, of, of these regulations is to safeguard personal information and sensitive information and help ensure that organizations are ready and hopefully reduce the number of breaches, even though the numbers don't reflect that even if we've got more regulations in place, the breaches continue to go up the I think it's a good idea to start out 2024 with a review of what's coming, right?
[00:01:48] There are a number of regulations that are going to drop, right? And why don't you start off and and lead off with a chronological order here. You know, what's what's going to hit first?
[00:01:58] Rob Aragao: You came up with the concept [00:02:00] of today's theme, and I think it when you told me about it, I was like, you know, you just never really think I'd never really thought about it because we do
[00:02:07] episodes typically on like, you know, one area of maybe regulation, an act that's just been released or coming due, making people aware of it. We give them an update. We bring in guests to talk about that. Like you said, the NIS2 directive that we just did recently. And I think, you know, again, your, your, your focus on, hey, let's, let's help the audience be kind of more cognizant and aware of what's coming for them this year
[00:02:32] is good. So we'll, we'll do that. We'll go through a handful and I'll start stand with the the ever evolving PCI data security standard, right? That's been around for many, many years. So the, the new version 4. 0 goes into effect at the end of March this year, 2024. And you know, so it's an emphasis of being able to really strengthen and evolve your cybersecurity posture.
[00:02:57] And so some of the, you know, the [00:03:00] areas really that I think have kind of been added or strengthened in what's planned for the 4. 0 release of PCI DSS emphasizes multi factor authentication, right? That's something that's been there, but it's really putting more of a kind of focus on making sure that you're doing it right.
[00:03:20] There's a lot more you know authentication methods that now can be used with different technologies and making sure that that's also covered as part of this kind of, you know, new instantiation. Another thing that's come out of it, which is really interesting. And I remember joking about this. Back in the early days of of is this change from a point in time.
[00:03:42] Like, assessment or audit and to really being a continuous point of view on how you deal with security, not just for PCI, but just for, you know, kind of in general. And, and I, I say that again, we used to kind of joke about this because it was like, oh, you're going to have a PCI assessment, you know, [00:04:00] let's say October timeframe.
[00:04:01] You made aware of it in, let's say, February, but you're going to have a pre assessment or pre audit. Right. In like the summertime frame, which is going to kind of tell you here are the areas that you're not doing so hot on and we're going to give you a few months before we really show up to actually go and ding you for the things you didn't do
[00:04:19] well, what do you do? You scramble to prepare for that. You get all everything, you know, your house in order. The actual assessment audit occurs, you wash your hands clean of it, and then you kind of forget.
[00:04:32] Stan Wisseman: And it's back to, yeah, it's a point in time assessment. Exactly. It's a point in time kind of event and then you're sort of like, all right, well, next time I'll be doing, do the process again next time.
[00:04:40] Yeah, very reactive.
[00:04:41] Rob Aragao: Right? So I think that's a good point that they really are emphasizing the the continuous evolution of what you're doing for security as part of that. So those are kind of some of the, there's a couple other things, but that's a very key set of two, you know, kind of upscaling paths for what they're doing with the 4.
[00:04:57] 0 release of PCI DSS. Thanks. [00:05:00]
[00:05:00] Stan Wisseman: And when does that go into March 31st. And I think we, we did an episode on payment security.
[00:05:07] Rob Aragao: We did an episode. We did it back episode 66. How does payment security work?
[00:05:12] Stan Wisseman: All right. The one I'm going to focus on next is goes into effect. Mid May is the Federal Trade Commission on, you know, breach notification and, and, and the basic challenge we as consumers have is that, you know, we're, we're using our, our credit card information works, you know, in some ways sharing our personal data on a regular basis and when a breach occurs, the time to act as far as monitoring what's going on with your accounts is Is, is, is as soon as possible.
[00:05:47] Right. And, and if, if you don't read, receive notification that a breach has happened and you're impacted in a timely manner, the bad actors could already have [00:06:00] stolen your identity, have already done something with your personal information and you're, you're vulnerable. Right. So the FTC is, is putting this rule into effect.
[00:06:10] To significantly increase the the, the timeliness and these breach notifications to help ensure that financial institutions act swiftly and transparently when handling, you know, customer data like ours. And I, and I think. Let's face it, it's sometimes on, on the institution or, or on the organization side of the equation, it's difficult to know the impact of a breach and, you know, in those early days, right?
[00:06:40] I mean, many times you're, you're still gathering information to figure out what's going on, but there's that tension of, Yes, we all recognize it's hard to figure out the impact of a breach, but you've got to let people know you've got to let folks know that's got something going on so they can protect themselves as well because you're not going to protect me.
[00:06:59] [00:07:00] Now your information is out. I mean, I need a, I need to start my monitoring of my accounts and possibly change account passwords and even possibly get new credit cards. So, I mean, it's, it's one of those things where there's that natural tension and the FTC is moving that line up. To make the breach notifications happen faster.
[00:07:17] Rob Aragao: It's, it's at times a bit of a fine line. Right, from a public relations and how you communicate these things out there as well. So I think you know, that's, that's, that's a part of it. But I think that, that one actually plays nicely into the next one that I wanted to talk about. We talked about this throughout the beginning of last year to the end of last year in 2023, which is all about the SEC breach disclosure rules.
[00:07:40] And so it plays off of what the FTC is now doing, right? Of course. And, so, in the middle of December of 2023 the SEC breach disclosure you know, actually went into effect. We saw some, some examples out there one from Clorox, I think played it out very nicely with their security breach and, you know, and they did this before December 18th.
[00:07:59] They did it [00:08:00] when they had their breach over the summer. I think it was August or so timeframe, right? But it was a good kind of blueprint. For other organizations to see how that kind of process worked and the communication in a timely manner of what they knew what they didn't quite know yet and just make it available.
[00:08:16] And that's again released through an 8 K. Right? And then that needs to be reported, which will be now for their 10 K coming out. Right?
[00:08:25] Stan Wisseman: So this, this, so this was done in December, what's coming up this next year?
[00:08:29] Rob Aragao: So what's coming up now is in June the smaller entities are the ones that basically kind of were given that almost a half year additional timeline.
[00:08:38] Extra time. Exactly. Right. Resources, you get it. Give them a little bit more of a buffer to get to the point of also having to be able to properly disclose information and and so really that's, that's the, the next kind of phase of this is now becomes applicable to the smaller business entities and that goes into effect in June on June 15th where again, same type of [00:09:00] reporting disclosure information required to answer these kind of, I think, four or five basic questions to get out there which is a lot easier than what was initially thought it was going to be.
[00:09:07] But again, we're going to keep an eye and see how that one evolves over the course of the next year or so.
[00:09:12] Stan Wisseman: And, and we covered the SEC rules at least once, but I know in episode 69, we, we had a, an episode specifically on it, right?
[00:09:20] Rob Aragao: We did. We covered it at least a couple times, but that was the one that we really went into details on.
[00:09:23] Stan Wisseman:
[00:09:24] That's right. So the next regulation dropping in is really the Implementation of the NIS2 directive that we talked about at the beginning of the show. . So we had Boorn Watne who was the SVP and CSO at Telnor group joining us. He had the, the great accent.
[00:09:44] Episode 76 and again. The intent of, of this directive is to upscale basically the, the cyber security resilience of EU nation states or EU members. And, and, and it really does expand the, the current [00:10:00] NIS directive scope to include other sectors and includes additional security measures that have to go in place.
[00:10:09] And I think it is, again, like, sort of like the PCI, right? It's evolving with the times. It's, it's recognizing that the, the baseline that was established previously with the initial version of NIS did not, you know, cover today's threats adequately. And so this broadens the scope and covers more services and, and sectors than the first one and hopefully it'll, it'll, it'll raise the bar.
[00:10:36] I think, again, when you're looking at these regulations, You sort of have to perceive this as being a, a minimum level, you know, to address the risk. It, it's, it's recognition that, that the threat has evolved and you need to be putting in place these measures and it's, and it shouldn't be perceived as being all that you need to do, right?
[00:10:56] So, the, I, I think I'm [00:11:00] not underplaying the, the difficulty and compliance to these regulations. I mean, it's not necessarily easy to change your organization to become compliant to, to meet all the security measures they're asking for. But at the same time, don't think that compliance in and of itself is going to be equating to security.
[00:11:20] Rob Aragao: Bjorn did a great job in going through the NIS2 directive. But I think one of the things I took away that I found great value in, I've seen it in the past for some other, you know, regulations and what not, Stan, is that you know, he's using it as a lever to how he engages with the board at Telenor Group, how he engages with getting their buy in to where he's trying to evolve their cybersecurity program too.
[00:11:40] So it's not that it's asking to do things differently. It's more of a kind of a hammer you can drop to say, we need to do these things. And here's the reasons why, because these penalties are going to come and you're going to be required.
[00:11:52] Stan Wisseman: One way or another, and in this to directive context, there are some significant penalties similar to GDPR.
[00:11:59] [00:12:00] So, I mean, I think that again, they have a stick kind of approach to try to drive compliance.
[00:12:05] so
[00:12:05] Rob Aragao: And the next one I wanted to cover off, and actually I'm going to play off what you just said with GDPR, because I, you know, the EU, to me, does it, does it right, meaning that we don't like it at times, we didn't like it with GDPR, a lot of lessons learned, but listen, they're the ones who released the very first reel with teeth.
[00:12:25] Privacy regulation, right? You just talked about the NIS2 directive, which has evolved from the EU. The next one is the EU Cyber Resiliency Act, right? That was in 22, if not even earlier, when they initially came out with this EU Cyber Resiliency Act. And my point is, is that they really are very kind of cutting edge.
[00:12:46] Let's go lead the way, right? We'll make the adjustments and so on. But the EU Cyber Resiliency Act is something that is not in stone as to when it really will go into effect from when you will be required to do so or penalized. But they're talking [00:13:00] about the early part of this year, 2024 to do so. And in essence, what it does is it emphasizes and focuses around helping really drive more security by design principles into your products and services, by the way.
[00:13:12] When, and if you plan to sell. Those products and services into any part of the EU. Think about that. It's not an EU entity. Exactly. Not just because you're an EU entity that had flattened enough. You're in the States. You're in Australia, Singapore. I don't care. Brazil doesn't matter. You have products and services that you want to sell into EU and their residents and their businesses.
[00:13:34] You need to abide by these or else you're going to be penalized. And the penalties can be as high as I believe it's 15 million. Euros is the top or 2 percent 2. 5 percent of turnover, kind of similar to what it was when GDPR first came out. So there's teeth. Behind it, but I think it's a great point because it's emphasizing product security and really putting some really good strong kind of, I don't know if they're really, I didn't see that they were very [00:14:00] well defined specific control mechanisms in there, but more kind of guidance and some guardrails to think about as you're developing products and the security elements that you have to think about and taking into consideration.
[00:14:11] Stan Wisseman: Yeah. And you say that the EU does it right. And I, and I reflect back on some of the. Last couple of years of what the U. S. has been doing. I think President Biden's executive order on cyber security was a really good first step. And we're seeing trickle down effects as far as those agencies like CISA and NIST having to create guidance and ultimately regulate the agencies on what they're doing with software supply chain, zero trust, etc.
[00:14:42] But an area where we're continuing, I think, to fail in the U. S. is We don't have an equivalent to GDPR a, a nationwide data privacy kind of law or regulation, right? You, you end up with all these [00:15:00] fragmented state level regulations and, and the poster child for that in the U. S. has been California and what they've been doing.
[00:15:07] And, you know, we, we now are going to see in 2024. Several other states joined the fray with Florida, Oregon, Texas, and Montana introducing comprehensive data privacy regulations and it's going to, you know, encompass a range of different provisions and consumer rights are going to be an aspect of it, as well as how their personal data is going to be
[00:15:32] leverage and used by the business and what they collect and process and how they ultimately secure it. But the challenge for organizations that are trying to comply is you have this patchwork of, of regulations that you, if you're doing business in the 50 states and Europe and you have to, you know do a lot of work to ensure that you're compliant.
[00:15:53] And, and do you do it, you know, what can you hang your hat on to, to say that you're 90 percent there? [00:16:00] And then work with that, that Delta for the different states and their specific requirements.
[00:16:05] Rob Aragao: Yeah, I think, you know, you're spot on where there's been talk about a national privacy regulation law, but there's been no movement.
[00:16:15] I haven't seen any movement really whatsoever other than talk. Right. And so yeah, you're, you're absolutely right. It's, it's very difficult because it is completely patchwork. You, as you stated, right, that we have all these additional states. So now I went back and looked, so there's 12 states now effective coming into 2024 that have their own individual privacy acts.
[00:16:35] Right. And then there's another 12. That last year introduced what they're planning to go in and maybe this year or in 2025 have their own, so you're going to have half of the U. S. by the end of 2025, at least half of the U. S. by the end of 2025 with some sort of privacy regulation and just managing on that.
[00:16:54] We talk about with different organizations, how difficult it is to manage [00:17:00] global privacy regulations, GDPR, PIPTA, right? You name it, right? And it's like. Wow. Right. Then you turn to the U. S. and it's like, hey, by the way, here's at least 12 and then there's more to come to add on top of that. And by the way, I feel it, it's always like a contest where the next state is trying to up level the previous state's privacy law by some sort of kind of, let me tighten that screw a little bit tighter.
[00:17:24] So, interesting to see how that one plays out
[00:17:26] Stan Wisseman: . Again, as we start off the show, the reason these regulations are coming into bear is that the number of data breaches is increasing. The confidence. That organizations can put in adequate controls to mitigate the threat on their own is lacking and, and the evidence is compelling, right?
[00:17:46] That left by themselves, you know, they are not doing even the minimum required. As we said a moment ago, organizations shouldn't look at these regulations as the, the target [00:18:00]state. That is the, that should be the minimum bar. a risk based approach, you have to look at the specific threats that you're addressing to, and that could be security measures and controls that are beyond what is being required by regulators.
[00:18:15] And so it is, it's one of those things where you're going to have to demonstrate compliance and it's complicated given the number of regulations that are coming out and the number of regulations are getting released because of the escalation and the threat landscape and the lack of ability of organizations to protect themselves and the data they're processing.
[00:18:35]
[00:18:35] Rob Aragao: Totally agree. I think it's, it'd be interesting to see what else kind of net new gets introduced this year. But I think it's great that, you know, we're able to kind of, at the early part of the year in January, start giving this kind of vision into, you know, laws that are going into place that will become effective, these, these acts that are going to be launched.
[00:18:52] And again, just some awareness and you can always go back as, as we've been mentioning to go and replay more great detail with guests in [00:19:00] specific episodes on those given topics that we've had in the past.
[00:19:04] Stan Wisseman: Thank you for being here, Rob.
[00:19:10] I don't know what to say, man. You always close.
[00:19:17] Rob Aragao: Well, thanks everyone for joining us. And again, you have an opportunity to go back and delve in deeper to those episodes we called out to learn more.
[00:19:23] Stan Wisseman: Thanks, Rob. See, that's what I always say.