By Rob Hegedus, CEO, Sera-Brynn
It’s not about the technology, it’s about insurability.
With the implementation of GDPR, the inevitable FAR-wide adoption of NIST 800-171 standards (already mandatory for Department of Defense contractors), and the latest news on cybersecurity legislation from New York and South Carolina, the global business community as a whole is slowly but deliberately shifting from a “risk mitigation” mindset to one of “risk transfer.” Risk transfer explicitly implies an institutional shift towards regulatory-based oversight. And that’s not necessarily a bad thing.
As technology becomes more and more ubiquitous in the cybersecurity space, we will see an increase in M&A activity along capability verticals, with the inevitable end result of four or five major technology players. It happens in practically ever other industry, and we’re witnessing the continuing of this consolidation within the cybersecurity industry right now.
This shift from risk mitigation to risk transfer includes Managed Service Providers / Managed Security Service Providers (MSPs/MSSPs), but be wary of the demarcation between risk mitigation and transfer. We’ve seen too often the product sale implying regulatory compliance, only for the purchaser to be left holding the bag after an incident and/or audit. Did any of that risk transfer to the MSP/MSSP? Unlikely. The lesson here is no product will solve a compliance requirement. It may make it easier to implement, but it won’t solve it. Any vendor who says it will is lying to you.
Which brings us back to insurability. The entire financial system rests on this foundational principle. This financial system allows businesses to operate through lines of credit, business loans, mergers and acquisitions, teaming partnerships, subcontract agreements, etc. To ensure soundness in this system, the “system” is shifting more towards an institutional approach to cybersecurity. Again, that means regulations. And that means the principle players in this industry will eventually be auditors, law firms, accounting firms (especially large established companies), and most importantly, insurers and re-insurers. That last group includes Captive Insurance vehicles and Risk Retention Groups, some of whom have been at the forefront of this shift for a couple of years now.
Regulations are based on specific compliance criteria. And compliance infers changes in organizational behavior. Technology plays a part in that, but it only gets you so far. For example, the intent of the DFARS 7012 supplement that went into effect at the end of last year was to protect information vital to national security. The organizational behavioral changes explicitly outlined in the underlying NIST 800-171 controls are geared towards identifying, securing and protecting that information. The question then becomes one of certification.
As of right now, self-certification is acceptable for most cybersecurity compliance standards, including the aforementioned DFARS supplement. That will change. Self-certification is rarely an acceptable practice in other institutional regulatory environments where the stakes are much, much less critical. Cybersecurity just needs to catch up to the rest of the world. And it’s happening now before our eyes, albeit slowly yet methodically.
Here are some predictions based on recent activity in the cybersecurity regulatory space:
- After talking to 37 private equity firms in the last few months, most seem to agree that consolidation within the technical verticals will increase as valuations normalize. I don’t see any reason to disagree with this.
- In the absence of a federal standards, more states will adopt legislation for specific industries similar to South Carolina’s and New York’s. Rhode Island and others are already prepared to do so.
- The days of self-certification are slowing going away. One of the largest hindrances to this evolution is the staggering amount of manpower needed to validate and verify cybersecurity standards. This is where technology will help…we think blockchain technology will dramatically increase efficiencies in the third-party certification process, especially along supply chains.
- The mid-market will start insisting on risk transfer to their MSPs/MSSPs. This process will be led by increasing insurance premium adjustments tied to cybersecurity standards and third-party certifications.
- In the middle of all of this will be the lawyers. Those law firms (and we know quite a few of them) that have robust cybersecurity practices are already ahead of the wave. This also means if you’re not involving in-house legal counsel in your company’s cybersecurity compliance discussions, you’re doing it wrong.
At the end of the day, in order to stay in business, I think companies and organizations will eventually be put into a position whereby they’ll have to prove, in one form or another, that they’re meeting whatever cybersecurity standard is applicable to them and their industry. The inevitability of the institutionalization of this process underlies one of the most basic fundamental premises of business operations that the cybersecurity industry cannot escape (just ask anyone who lends money): insurability.