Streamline your regulatory compliance obligations
Regulatory compliance has intensified in areas such as anti-money laundering, privacy and audit/reporting. The demand for better solutions that automate and streamline the activities needed to comply with the demands of regulators has spawned a booming sector of innovative software and service companies known as ‘RegTech’.
RegTech in cyber security
RegTech, are specialised technologies that help ensure organisations remain compliant in raising financial risk management. In many cases, if organisations do not meet these regulatory obligations they could be fined or lose their license to operate.
Deloitte describe RegTech as:
“providing technologically advanced solutions to the ever-increasing demands of compliance within the financial industry”.
While Investopedia calls it:
“the management of regulatory processes within the financial industry through technology. The main functions of Regtech include regulatory monitoring, reporting, and compliance.”
But this capability is not limited to financial services sector, organisations and finance regulations. Cyber security risks have been growing in prominence for many years and boards are acutely aware of the financial and reputation impacts of breaches – whether affecting consumers and privacy or to IP that has value to the business.
The market/share price effects as well as consumer impacts mean that regulators and audit committees have a need for increasing assurance in cyber risk, as well as in financial probity and reporting.
Automated and objective cyber posture monitoring
With security teams continually stretched, and technology growing in complexity (for example through the adoption of cloud, IOT, mobile applications) there is a need to automatically report on the security control status or cyber posture of your organisation.
Public Company Accounting Oversight Board (PCAOB) Auditing Standards in the United States require auditors to consider the quality and reliability of audit evidence, so reports on security control effectiveness that take a long time to generate or derive, and/or which have to be manually collated and assembled are unlikely to give sufficient assurance.
The PCAOB view on the role of auditors of public companies with respect to cyber security can be found here.
Studies show that when you ask operational staff for a view on security control effectiveness they will give over-optimistic results – look no further than the Australian National Audit Office’s government entity audits, discussed in our cyber security resilience blog post.
Taking people out of the loop of inspection, analysis, reporting not only eases the resource burden, it gives a clearer picture of the true state of control effectiveness and reduces the risk of misstatements around the performance of cyber controls.
Beyond mandatory data breach reporting
Now that mandatory data breach reporting has been established in regulations such as the EU GDPR and Australia’s Notifiable Data Breach scheme, regulators are evolving towards disclosure of an organisation’s cybersecurity risk information. For example, the Securities and Exchange Commission (SEC) in the United States has issued guidance to public companies with respect to their public filings noting that it is critical that public companies provide investors with timely and ongoing information regarding material cybersecurity risks. Evaluation of cybersecurity risks should include, among others:
- the adequacy of preventative actions taken to reduce cybersecurity risks, and;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks.
Companies should also assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information is processed and reported to appropriate personnel, to enable senior management to make disclosure decisions.
How Huntsman Security’s RegTech can help
Essential 8 Scorecard
Huntsman Security’s RegTech solutions, align to the Essential 8 controls the Australian government identified as reducing 85% of cyber risk. The Essential 8 Scorecard operates automatically and transparently to continuously measure the effectiveness of the eight critical controls. It regularly generates and distributes reports in a format that key stakeholders can understand with no manual effort to create or translate.
Essential 8 Auditor
The Essential 8 Auditor is designed as a cyber risk audit tool that provides you with an immediate view of cyber posture against the Essential 8 controls. The solution can be used internally or externally by Security Consultants, Auditors and Risk & Compliance Managers.
Download our brochures to find out more about our Essential 8 Scorecard and Essential 8 Auditor to help measure the effectiveness of your organisation’s security controls:
The Essential 8 controls can be found in almost all national and international security standards – Cobit, ISO 27001, PCI DSS, NCSC Top 10 and NIST CSF; they provide a baseline of cyber hygiene that is vital to building cyber resilience. Huntsman Security’s technology automates the audit and reporting processes and allows audit and security teams to focus on the more specific challenges their businesses face.