Hi, my name is Matt Mulcahy.
I’m the Director of Business Development at ProSource.
And today I wanted to touch on an emerging trend that we’re seeing in the space,
which are the insurance companies requiring small and mid-market companies
to really be strict about their adherence to specific compliance frameworks.
Today, I wanted to just look at a recent assessment
that we helped a customer complete and maybe touch on some of the high points
that we see are becoming challenges
and contention points with some of our customers.
What we’re looking at right now is a standard security assessment.
We do a few of these a week.
They’re consistently being sent over to us to update
and make sure that any changes or compliance framework
updates are being captured and cataloged, and sent back to the
Risk Assessment Agency.
So as you can see, this is very large.
There’s multiple tabs at the bottom going all the way to Z
and it can be quite overwhelming for customers to fill this out themselves.
So that’s generally where we come in.
We can help on a one-off basis, but a lot of the times we’re already doing
managed IT for these firms,
and we’re helping them move towards this compliance state.
So in this instance, you know, they’re looking for ISO 27002.
What we find with these
auditing agencies is generally there’s a framework they’re looking for.
But if you’re already working towards compliance under another framework —
it might be NIST,
it might be HIPAA — that generally can suffice in these instances.
So they’re asking very explicit questions here, looking for
very specific things that obviously map to controls within the ISO framework.
But what we see is if you’re already doing something similar,
and it’s mapped to controls within another framework that generally satisfies
a lot of what these third parties are looking for.
So just because they’re asking the question doesn’t
mean you may need to have that specific thing.
But if you can prove that you are working towards compliance in another framework,
it might not map explicitly to what they’re looking for.
That’ll generally satisfy whatever control they’re looking for.
So, you know, for this one they’re looking at:
“Is there a documented process to identify and assess regulatory changes
that could significantly affect the delivery of products and services?” So
really, that’s making sure that you have someone on your team
that is constantly looking at those changes.
So in the HIPAA framework, you have to have a named Compliance Officer.
So this is an instance where they may be looking for something with an ISO —
and this actually isn’t going to map, so this is a standalone question.
But you know, if you if you go back to them and say, “Hey,
we’re doing this under HIPAA by having a named Compliance Officer
that’s reading all the HHS (Health and Human
Services) updates that are being published on a monthly basis.” So
working through these can
be very exhausting and overwhelming, especially if you have nothing in place.
But generally some people have
a lot of these in place already and they’re not documented well.
So making sure that you work towards a state where not only do
you have the controls in place, but you have the documentation to back it.
And a lot of these questions here, I’m sure I can find out very quickly.
A lot of these questions here will refer to documentation.
So, you know, does
does the risk governance
plan include risk management policies, procedures, and internal controls?
So it’s not enough just to have the internal controls.
You need to have the associated documentation.
And what we always say is, you know, policies drive the practices.
So the policies generally get developed first.
They get approved and then you roll the technology changes.
That’s generally kind of the process we see in IT change management.
These can be very gigantic.
I’m not going to go over every single tab.
But what we’re seeing is that independent insurance agencies
are pushing these down to the smaller businesses and mid-market businesses.
And, you know, the traditional defense was: “We’re too small for this.
We can’t afford this.” And that just doesn’t fly in this day and age.
Everyone’s a target from a hacking standpoint.
It doesn’t matter how big or small you are,
you can be monetized with ransomware and then that has downstream implications
on the insurance payers and the huge payoffs
that they have to stomach and why we’re seeing such a push to make sure
that everyone that they’re insuring has very robust cybersecurity and controls.
So if you have any other questions, feel free to reach out to me and I’m happy
to talk about this at any time.
Just wanted to really touch on a recent
assessment that we got.
And so you know that everyone is really in scope
for having robust cybersecurity in this day and age.
There’s no excuse not to, and you have to have it at every growth stage
within your business’ path as they go forward.
Once again, my name is Matt from ProSource.
We post — trying to post — about weekly now.
Give us a follow if you have any interest in cybersecurity, IT, or compliance.
And thanks for watching and have a great day.