A manufacturer who is a subcontractor for the U.S. Department of Defense learned that his business will now be subject to the new Cybersecurity Maturity Model Certification (CMMC) requirements. He asked the question, “How does my compliance help my business?”
An interesting question as it applies to businesses in all sectors who need to make business decisions about what to spend on cybersecurity or meet compliance requirements.
For CMMC, the most obvious answer is that if the business decides not to meet the requirements and pass an audit, they will not be able to respond to bid requests that require the certification. It’s possible that for a small business that brings in $15,000/year as a subcontractor, spending $50,000 to meet the requirements and pay for the audit may not be a good return on investment; unless they can either increase their pricing to cover the added costs or win additional business away from competitors who don’t become certified. For a manufacturer who relies on government contracts for the bulk of their $4M annual sales, the business case to become compliant is easy to make, even if it requires an initial six-figure spend.
Adhering to any cybersecurity framework, whether CMMC, HIPAA for healthcare, PCI for retail, or the NIST CSF for businesses who don’t fall under specific compliance requirements, there is a business case to be made for reduction of risk. Financier Worldwide states, “Cybersecurity should be viewed as a potentially existential risk to all organizations, regardless of size, industry or geographic footprint. If your organization uses a computer, you are vulnerable to cyber threats.”
The impact of an incident on your business will vary based on several factors, including:
1) What data was exposed?
- Was it protected data that requires notification to affected parties? How many records in total?
- Was it information that could lead to a loss of competitive advantage or a trade secret?
- Will the news of the breach result in the loss of current business? What about potential business?
2) What remediation will be required to get you back to business?
- Will your systems be off for days, weeks, or longer?
- Will being offline results in delayed revenue or loss of income?
- Is a significant investment in cyber forensics required?
- Do you need to invest in additional protection to make sure this same vulnerability is not exploited again?
3) What coverage do you have if you are breached?
- What does this coverage exclude that you need to be aware of? Most policies exclude regulatory fines, and some exclude legal judgments that could result from a business decision not to spend to comply with a cyber framework.
- Does your cyber insurance require that you meet specific requirements to maintain the network or perform ongoing testing to identify and correct vulnerabilities?
- Would failure to maintain compliance requirements result in denial of a cyber insurance claim?
Be sure to consider all of these factors when determining what you should spend on cybersecurity measures.