Biz EXCELerator - Nov 30, 2017 - “Cyber Security – What Companies Need to do to be Compliant, Competitive and Covered”
The MCCC Business Excelerator program on Thursday, November 30, 2017 addressed “Cyber Security – What Companies Need to do to be Compliant, Competitive and Covered” in the government and commercial arena.
Suzanne Rotbert, Miles & Stockbridge, P.C. introduced guest speakers Payal Vadhani, Partner, Technology Risk Services Group, Aronson LLC and Rick Dreger, President, WaveGard. The speakers agreed that businesses who adapt a reliable cyber security strategy are advantaged in the marketplace.
Payal Vadhani outlined DOD’s Defense Federal Acquisition Regulation Supplement (DFARS) mandatory provisions and clauses. DFARS are applicable to the following DOD primes and sub-contractors:
It was noted that cyber security regulations modelled on DFARS is likely to become an agency-wide standard. Compliance with Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline is required. If a contractor uses a cloud service, they must meet the requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident assessment. The “Roadmap to Compliance” includes conducting assessments and providing status reports; remediation of any gaps, issues; continuous monitoring. Payal offered real-world incidents that impacted government contractors who lost contracts and their business due to cyber vulnerabilities.
Rick Dreger discussed a few key issues for intuitively improving a company’s information security program. First, he discussed the idea that a robust cybersecurity program is both a business asset and a business differentiator. To be successful, senior leadership (e.g. CEO, CIO, CISO) must be able to articulate their cyber plan with ease. He advised that businesses should “punch above their security weight” and presented four ways to achieve this. First, every business should take an inventory of the systems and applications they have in place. These should include internal systems, cloud providers, SaaS application, etc. Next, security awareness is a must. All employees should be trained to demonstrate cyber discipline in the workplace. Third, a risk management plan must be in place. Businesses must understand, analyze and address cybersecurity risks. Last, there must be a coherent strategy for responding to an incident. The plan must be reasonable and actionable. He advised businesses to investigate cyber insurance options to help mitigate financial risks.