ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / IT Security: Risk of Inaction

Establishing a Robust Cybersecurity Program

Creating and maintaining a robust cybersecurity program is straightforward and beneficial:

Improve access to cyber insurance Improve competitive posture Protect reputation
Protect assets Maintain trust among all parties
Avoid penalties and legal repercussions Retain customers

When fiscal pressures mount, however, many CISOs begin to face from stakeholders (including CEOs, CFOs, and Boards of Directors) questions such as:

  • What happens if we don’t comply with cybersecurity regulations?
  • What happens if our certifications lapse?

Let’s review the risks and penalties for non-compliance with common IT Security Standards.

Risks of Insecure IT Security

Some risks can be generalized over multiple standards and are commonly encountered as a result of:

  • Lapse in certification
  • Dismantling of an IT security program

Breach Risk

  • Lawsuit by the clients whose information has been violated.
  • Loss of trust due to the lack of security.
  • Negative impact on your company’s reputation.
  • Decreased Competitive Advantage.
  • Loss of costumers. 2021 saw the highest average data breach costs in 17 years, according to IBM. Data breach costs rose from $3.86 million to $4.24 million.
  • Customer compensation for those whose data has been compromised (cost associated with credit card monitoring,
    insurance against identity theft, cost of card replacement, etc.). This recently cost Capital One $190 million.
  • Increased rates.
  • Cost of forensic investigation to determine the result of the breach.
  • Cost of card replacement.

Breach Penalties

  • Payments to each individual cardholder whose information has been endangered.
  • Termination of the relationship.
  • Penalties by Payment Processor.
  • Criminal penalty can occur in some cases

 

Paying penalties reduces the amount of cash that can be reinvested back into the organization, resulting in a negative impact on cash flow.

Risks of Non-Compliance with IT Security Standards

There are risks that can and will occur when an organization:

Standard To whom does this apply? Specific Risks of Non-Compliance, a Data Breach, and/or a Lapse in Compliance
PCI DSS provides technical and operational requirements to protect cardholder data and reduce fraud. PCI DSS applies to all entities that store, process, or transmit cardholder data, and includes requirements for software developers and manufacturers of applications and devices used in those transactions.
  • Between $50 and $90 per cardholder whose information has been endangered.
  • Termination of the relationship between company and bank/payment processor.
  • Penalties by Payment Processor. Penalties can range from $5,000 to $100,000 per month depending on the size of the organization, as well as the scope and seriousness of the breach.
  • Increased rates charged by payment processors and banks.
SOC 2 reports help service organizations that provide services to other entities build trust and confidence in the services performed and establish controls related to the services through a report by an independent CPA. The service organizations that utilize SOC are typically in the finance, healthcare, and business analytics industries.
  • The company is at a high risk of facing severe regulatory consequences.
  • The system is highly susceptible to potential threats.
  • Lost or interrupted sales.
ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an organization’s ISMS.

ISO 27001 outlines requirements tailored to the organization’s needs for assessing and treating information security risks.

 Organizations across all sectors seeking to establish an ISMS, apply a risk management process adapted to their size and needs, and scale it as necessary as those factors evolve utilize ISO 27001.
  • Data processing may be temporarily or permanently prohibited through the imposition of bans.
HIPAA sets standards to safeguard individuals’ medical records and other confidential information. It also limits the use and disclosure of such information without the individual’s consent. HIPAA applies to health plans, healthcare clearinghouses, and providers that conduct certain healthcare transactions electronically. Civil Penalties:There are four tiered ranges of penalties for violating HIPAA. There are maximum penalty caps of up to $1.5 million for all violations of an identical provision during a calendar year.

Culpability Minimum Penalty Per Violation Maximum Penalty per Violation Annual Cap
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect, Timely Corrected $10,000 $50,000 $250,000
Willful Neglect, Not Timely Corrected $50,000 $50,000 $1,500,000

Criminal Penalties: A HIPAA violation can also result in criminal penalties. According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR):

  • Unauthorized disclosure of individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50k and up to one-year imprisonment.
  • Penalties for wrongful conduct can result in imprisonment of up to 5 years and a fine of $100k. If the conduct involves identifiable health information for commercial gain, personal benefit, or malicious harm, the penalty may increase up to 10 years imprisonment and a fine of $250k.
The GDPR establishes rules protecting the processing and free movement of personal data. The GDPR applies to the processing of all personal data, automated or not.
    • Requirement to adjust data processing to comply with the GDPR.
    • Ban on data processing. Sanctions may be imposed on processors.
    • Fines proportionate to each individual case. For especially severe violations the fine can be up to 20 million euros, or in the case of an undertaking, up to 4% of their total global turnover of the preceding fiscal year, whichever is higher.
    • Intentional infringement, a failure to mitigate damage, or a lack of collaboration with authorities can increase penalties.

A whole group can be treated as one undertaking with its total worldwide annual turnover used to calculate the fine for a GDPR infringement of one of its companies.

FedRAMP® promotes secure cloud services in US federal agencies by providing a standardized, cost-effective, and risk-based approach to security authorizations and threat assessments for cloud technologies. Cloud Service Providers using a Cloud Service Offering by the US federal government should consider obtaining a FedRAMP® Authorization.
  • Failure of a CSP to report an incident or suspected incident according to these communication procedures will result in the issuance of a Corrective Action Plan (CAP).
  • A second violation of a CSP to report an incident or suspected incident according to these communication procedures may result in the suspension of the CSP’s ATO or P-ATO.
NIST 800-171 provides a voluntary framework consisting of standards, guidelines, and best practices for organizations to better manage and reduce cybersecurity-related risks. US federal agencies, contractors, and subcontractors working with the US federal government are required to adhere to NIST compliance.
  • Damages are awarded in the case of a contract breach or false claims.
  • Suspension or permanent contract termination.

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC2, HIPAA, ISO 27001/2, CCPA, SWIFT, Microsoft SSPA, CSA STAR, SCA, PA DSS, PCI P2PE, PCI PIN, PCI 3DS, PCI Secure Software, PCI Secure SLC.

https://controlcase.com