Cybersecurity: Regulators Differ in Approach to Risk Assessment Oversight

Government contractors are required to conduct cybersecurity risk assessments in accordance with NIST standards, but an IAPP article published earlier this month says that regulators differ in the way they approach their oversight of risk assessments.  Here’s an excerpt:

Across the patchwork quilt of cybersecurity regulation in the U.S., enforcement agencies — including the Federal Trade Commission, Federal Communications Commission and Transportation Security Administration — agree that any entity’s cybersecurity program should address issues identified in a risk assessment. And since system inventories, attacker tactics and the state of the art in cybersecurity controls change over time, the agencies agree the risk assessment must be regularly updated.

There are, however, some noteworthy differences in the way agencies approach their oversight of the risk assessment process.

Especially noteworthy in the HHS cases is a practice that other regulators might want to adopt: Once HHS has concluded that an entity violated the security rule, it will oversee the entity’s risk assessment until satisfied it is complete and will then engage in an iterative review of the entity’s data security practices until those are deemed sufficient to respond to the identified risks. The FTC and the FCC, in contrast, impose lengthy lists of cybersecurity practices before the first risk assessment is done.

Moreover, neither the FTC nor the FCC reviews the risk assessment; instead, both agencies rely on the report of an assessor hired by the regulated entity. It would be interesting to know whether such an assessor has ever found an entity’s risk assessment inadequate. Finally, HHS’s practice of reviewing annual risk assessments to ensure that controls are well-matched to risk may help the FTC address concerns that it is locking settling entitles for extended periods of time into sets of cybersecurity controls that may become outdated.

The article goes on to discuss in detail the differences in the approaches toward risk assessments taken by federal agencies, as well as the terms of various settlements of regulatory enforcement actions brought by various agencies relating to cybersecurity issues.