Reading Time: 3 Minutes
Global data protection regulations (new or updated) are being enforced aggressively, resulting in a tsunami of hefty fines and penalties to violators. The majority of these violations result from the failure to conduct regular risk assessments, which form an integral part of the ‘appropriate measures’ a business must take to ensure information security.
For example, in 2017, credit agency Equifax lost personal and financial information of nearly 150 million consumers due to an unpatched Apache Struts framework in one of its databases. Regulatory authorities found Equifax guilty of “failing to take reasonable steps to secure its network”. The credit agency was mandated to pay a hefty fine, valued at potentially $700 million, which it is still paying to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states.
Read: Understanding and Calculating Organisational Risk
If Equifax had implemented an ongoing risk assessment strategy, it could have avoided the subsequent financial fallout and reputational damage. A single risk assessment would have helped Equifax uncover and fix the patch-related vulnerability promptly.
You must understand that regulatory agencies don’t expect you to cast a magic spell that can protect your network from threats indefinitely. They simply strive to hold you accountable for the steps you need to take to ensure consistent data protection and privacy. For example, the most enforced HIPAA audit requirement out of a total of 180, which has been cited in more than 50% of recent penalties, is an accurate and thorough risk analysis.
Recommended: Is your Business ready for HIPAA and PCI-DSS?
Here are a few instances where businesses were pulled up by the regulatory bodies and slapped with hefty fines for the lack of a risk assessment and management strategy. This will help you understand how risk assessment can go a long way towards building a resilient cybersecurity defence and demonstrating full compliance.
Marriott International Shelling Out Over €20 Million
Marriott International, Inc. was fined a whopping €20,450,000 in fines for failing to implement sufficient technical and organisational measures to ensure information security. The basis of the penalty was Article 32 of the General Data Protection Regulation (GDPR), which clearly states the need for “a process that regularly tests, assesses and evaluates the effectiveness of technical and organisational measures to ensure the security of the processing.”
Capital One Fined $80 Million
In 2019, Capital One suffered a breach affecting 100 million people in the U.S. and 6 million in Canada. By exploiting a configuration vulnerability in the company’s web application firewall, an “outside individual” obtained personal information of Capital One’s credit card customers as well as people who had applied for credit cards. The Office of the Comptroller of the Currency fined Capital One $80 million for its “failure to establish effective risk assessment processes” when migrating operations to a public cloud environment.
Premera Blue Cross Coughing Up $6.85 Million
Washington-based health insurance company, Premera Blue Cross, was fined $6.85 million for HIPAA violations for a breach that affected over 10.4 million people. While handing Premera the second-largest HIPAA fine on record, the Office for Civil Rights (OCR) cited “system non-compliance” with HIPAA requirements. The OCR concluded that Premera had failed to conduct a risk analysis, implement risk management, or put audit controls in place.
Related Article: First Step to Compliance – a thorough and accurate risk assessment
It goes without saying that if all three companies paid heed to expert compliance advice and implemented a meticulous risk assessment and management strategy, their balance sheets would have looked significantly different.
Several data regulations have defined the importance of risk assessment in ensuring data privacy and protection. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) clearly mandates covered entities and their business associates to conduct a risk assessment.
Learn more with the article Managing your Technology Risk
By merely implementing this cybersecurity best practice – continuous risk assessment – you will be able to significantly reduce the likelihood of a security breach and a compliance audit; both of which can lead to a tremendous loss of revenue. Think about all the financial implications you could avoid. That should convince you.
Implementing a comprehensive risk assessment and information security strategy as part of routine operational procedures is no easy feat. You need specialised tools and experienced and dedicated support to ensure you get thorough and accurate risk assessments regularly to achieve and maintain compliance obligations.
Compliance is complicated and stressful, which is why partnering with an IT and Data Security specialist can help you simplify the risk assessment process and take the chaos and confusion out of the equation. Talk to us today to learn about our specialist approach to compliance and how we can help any business – including yours – be compliant without effort.