Hello. Welcome to the cyber leadership and management course. Today we will be discussing cybersecurity communication channels to the regulators. My name is Cicero Chimbanda, and I am your instructor for this course. Cybersecurity communication channels to the key stakeholders, the regulators. We will be discussing and designing the development of communications to the regulators that produce this trust. The key topics that will be discussed in this course is we will talk about communication to the regulators, an overview. We will then look at the regular reports, we will look at three different slides on regulator reports. Lastly, we will talk about administrative controls for regulators. Let's begin. The success of the cybersecurity communication is absolutely dependent on a working relationship between the cybersecurity leader, which is the chief information security officer, and the the top legal professionals. In this case, could be the CCO, which is the chief compliance officer, the CLO, chief legal officer, or the CRO, chief risk officer, or even in some cases, the chief general counsel. Nevertheless, that relationship has to have a great link of communication between the two. This factors in because of the authority that's provided to these individuals. It must come from the top. As we discussed, there is a legal binding rules that organization must abide to. The authority of the senior manager must give full appointment to this particular position. A chief information security officer must be a part of that senior management, and so much that legal professional. Those two positions will be the co-chairing or definitely working together in that cyber governance committee. Again, the whole goal that's trying to be produced is to understand from the senior managers the vision, the mission, the goals and strategy. Usually this is done periodically in an executive board meetings, so that whether it'll be quarterly, whether it'll be semi-annually or annually, this is where that interface must happen between the CISO and the top legal professional to the executive board. In doing so, the conveying message or deliverable that must be done by the two professionals to the board, is conveying that integrity, data information integrity, systems integrity, adhering to the laws, which will also produce trust. Trust is also a mechanism that allows the corporation to function properly with the regulators because they trust their systems, they trust their processes, they trust their personnel, that they are adhering to the laws, and ultimately, that the regulatory systems are being abided by, the legal obligation to the regulatory rules are being followed. Of course, as we have looked at previous courses, it all depends on which industry, what type of company that your organization is operating under. Looking at the second slide, we are looking at regulator reporting. It is important for the cybersecurity, legal, and other senior leaders understand what are the regulatory legal binding rules that the organization must abide by. The overall principle that the cybersecurity leader will want to deliver is the cybersecurity strategy that will yield trust to the organization. Thus, understanding the specific regulatory obligations that apply to that organization is important. We've looked at this before, some are legally binding, you see those on the left. Some are perhaps legally binding, but then there's also the governing jurisdiction. Depending on what geographical location the corporation is registered or is operating under, selling or perhaps banking, there will be different jurisdictions, every state and territory has its own basic corporate. The federal creates minimum standards for trade, for example, the security exchange Act of 1934 binds any company that's working within the United States, and it's a federal law, Sarbanes–Oxley is a federal, Dodd-Frank, too. These are specific federal laws that corporations that operate within the United States, depending on what type of business they are under, will have to abide by. Then there are state laws. The corporation must be incorporated in a specific state, so they will have to abide by those laws. Then there are counties and cities. There might be certain permits, certain clinical construction taxes, penalties that must be understood while that corporation is working under a specific county, law, or city. Certainly, certain cities and counties have minimum requirements for cybersecurity measures, and those must be understood. Lastly, there are international laws, for example, if you're operating in selling, or have employees that are international, or have dealings with international companies, or perhaps you're breach by an international company, then certain laws might abide. The FBI may get involved, the NSA, the US State Department might be involved. There are certain laws if you're doing business overseas; for example in Europe the GDPR, which is the general data protection regulation, which if you hold data or data center in Europe, you must abide by those rules. Lastly, in terms of legality, one needs to understand the branches of government because legislation is what makes the laws. The congress, Senate, and House might have certain bills that are debating which could affect specific cybersecurity technology or specific to your business. The executive branch has the President, Vice President, 16 cabinets, certainly what they pass could influence or impact the operation of a business. The 16 cabinets, we will look at some examples, will have certain laws and regulations that certain companies that fall within those jurisdictions must follow. Lastly, you have a judicial, which interprets the law. If you're ever in a lawsuit or going suing against, file a lawsuit against, there might be cases where you're lawsuits will reach the specific jurisdictions as mentioned earlier. These are different important bodies that one needs to make sure they follow, and as we look at the different regulatory governance and agency body samples. These are again, Department of Labor, is an example, agency that governs the employees within the United States, Department of Defense, which is a government agency which has to do with security and military within the United States, Department of Homeland Security, which has the cybersecurity Infrastructure Security Agency underneath it. They have specific rules, laws, and regulations that must be followed through. The Food Drug Administration will regulate certain products that are within their jurisdiction; FINRA, which is the financial industry regulatory authority, has certain laws that must be adhered to by financial companies. Federal Trade Commission has certain rules. The Health and Human Resources, which is what sponsored the HIPAA and other rules or acts that follow within the medical and health industry. Department of Agriculture, Department of Commerce, small businesses. Some of these are under the 16 cabinet, as we talked about before under the executive branch, others are not. But nevertheless, it's important for the communication to regulatory reporting, one needs to understand their requirements within those particular jurisdictions. Heavily regulated industries, as we've talked about before. You have the financial industry. Financial industry, as we mentioned earlier, SEC, the Securities Exchange Commission, which is financial investment banks are members, they regulate. You have other like FINRA, as we discussed, the Financial Industry Regulatory Authority. They have certain rules of financial banks and they will provide audits depending on your specific company. Well, you have to understand, their rules, their requirements for reporting. The health care. You have the HIPAA, Health Insurance Portability and Accountability Act. You have the Patient Safety and Quality Improvement Act. Again, these are different rules and acts that must be followed and will need to be reported depending on who and where you are conducting your business. Looking at the third portion of regulatory reporting. I want to shift to talk a little bit about what are some mistakes that have been seen when companies or organizations are reporting to regulators. Four common mistakes. Number 1 is having no clear understanding of the regulator. Obviously, this can provide a challenge. Do your homework when you're having an audit to understand the position of the reviewer, understand their biases, understand the members. Making sure that you have a clear understanding of the regulator. The other one is not having a clear agenda or a message. It's important, for example, to know who is championing the regulatory consulting engagement. There must be advice from previous rulings. It's up to you to know what is going to be asked. It's important for one to understand that. The other one is ignoring the regulatory agencies. You don't want to do that. If there's findings or if there's questions or if there's comments, you must not ignore, you must answer the individual's requests. Then, lastly, going over the head or bypassing the escalation protocols. Not a good idea. Regardless of the outcome, you want to have a long-term relationship with your regulator. If you have any issues and you're escalating and going to different protocols, that will not fare well to your audits. Some tips to follow. I'll do them in twos. Build a relationship with the reviewer on your division. Great relationships, great goals, and communication. Understanding where they're coming from is very important. Number 2, having great preparation. Doing the right means to prepare. Take more time understanding effectively what must be communicated is important. Three and four is analyze your audience and environment. Know as much as you can to the people that are coming to the meeting. In order for you to understand the influences, you need to understand the regulator, and then understand their world. Four, talk to people who have been there before. You might have somebody in your organization that has done the audits or maybe there's an outside party consultant. Take as much advantage of that that you can. Then five and six, listen to your regulators. Basically understanding, giving feedback, read their body language. If it's on a phone, maybe try to understand and try to have video conferencing so you can have more of a face-to-face conversation really to understand the people that you're dealing with. The team that you're going to be working with internally. Choose your team wisely, be specific, have them to be more segregated into different functions, make sure that they are not bringing opinions to the table, make sure the team is cohesive, and really have practice before you have your meeting, as we will talk about before with the team. Keeping it simple. Keeping it short and simple, not overly communicating, not embellishing, answering specific questions, and sticking to just the answer. Then remember, less is more. Controlling the Q&A. Don't fear questions, anticipate questions. Once you identify the questions, try to bridge key message to question. Then, be human. Understand that they're human, you're human. Nonverbal communication, expressing. If you're nervous of your first time, being honest and being human is very important. Following up and making sure that you have good notes, submit minutes is important as well. This is some tips that were taken from the 3D communications as posted in your reentry resources. Remembering that the goal in reporting is to secure and not just to be compliance. Yes, it is important to be compliant with your regulators, but really what is going to fare well is how secure is your organization. These are some tips on enhancing your regulatory communication. Education is very important. Educate your team, educate the people responsible for reporting. Invest. There must be some investment budget, dollars allocated to the communication, consolidating so that there's a central wheelhouse, if you will, in the communication so it's one message. Sharing your information; internal, external, both input and output. Also partnering with other industries or other vendors or other companies if it weren't, so that you're having hands on the table to your reporting. Lastly, looking at cybersecurity, communication regulations, administrative control, let's look at some controls in reporting communications. The cybersecurity or the CSO through the cybersecurity task force must establish administrative controls that will have minimum requirements to report to regulators. These are some sample of these elements, for example, regulatory compliance reporting. Again, this will be based on the regulators. Having a cybersecurity program and procedures. Laying out document or a program that you will provide. Having annual risk audits and providing those results. IAM audits, Identity Access Management audits, having that available if required. Vendor management questionnaires, legal hold investigations, forensics, post-incident reports from elements, user awareness training, fishing testing results. A lot of times the regulators just want to know that you are doing these things. So providing sometimes table of contents showing the documents, not necessarily showing the whole document unless it's asked, showing the date. These are some best practices. Again, answering the specific questions or giving what they require, not too much and not too little. An example of administrative controls that need to be put in place that is mandated by regulator, this, in case, is Occupational Safety and Health Administration, OSHA. What they do is they require, for example, there to be training. They require there to be procedures, steps of job processes. For example, if there's hazardous, developing standardization, safe work practices. Maintenance was required, having scheduled maintenance, machines must be operated, and maintenance having preventive maintenance in equipment, these are housekeeping measures. Cleaning and reduction for injury, minimizes severity of incidents. Lastly, having signs must be on a floor. Visual cues, reminding tips. These are some administrative controls that OSHA recommends for certain manufacturers that handle hazard mechanisms. Then lastly, in communicating to your senior executives about what's going on in regulatory space, you want to have reporting at the boardroom level using frameworks like GRC, which is Governance and Risk Compliance. Conveying the ultimate goal of integrity. The trust and regulatory obligations are being met through these systems. Obviously, these are important to make sure that you communicate to your regulators. We're again having a quarterly or annual reporting depending on their schedule. You report out to, example, the FDA, the FINRA, FTC, Health and Human Services, Department of Agriculture. Again, whatever body you are regulated by make sure that you are doing that. This right here completes or concludes this course and we will discuss more.
