The Flow Report - the data risk ahead

Cybersecurity regulation of data buyers is not well understood. As a result, it is often overlooked, as are cyber risks, despite the attention that individual breaches receive in the press and the resulting litigation. This post is not a summary of the current state of cybersecurity law, which includes the recent SolarWinds decision on July 18th, 2024 in the Southern District of New York (in which the court dismissed many of the Securities and Exchange Commission’s claims against SolarWinds). Instead, Glacier reviews some of the ways in which cybersecurity risk is underestimated by the data community and several steps to address it.

Regulatory context

The regulatory landscape has shifted significantly in the past 12 months. While the SolarWinds case was a substantial setback for agency authority over cybersecurity risk management by public companies, registered investment advisers and others regulated by the SEC noted that the recently released SEC exam priorities for 2025 prominently feature cybersecurity (e.g., testing policies and procedures, etc.). The SEC had previously adopted its cyber rule "Risk Management, Strategy, Governance, and Incident Disclosure" effective September 5th, 2023.

The Federal Trade Commission has also been active, amending its Safeguards rule (requiring non-banking financial institutions to develop security programs to protect customer data) effective May 13th, 2024, and pursuing multiple data companies for other regulatory violations throughout the year. It is important to consider that whatever impact the new administration in the United States may have, external cyber threats seem poised to multiply.

And yet the data community has its attention elsewhere.

The data supply chain is at risk

A report released in 2024 by Prevalent indicates that third party vendor breaches have risen by nearly 50% since 2021; in a similar report SecurityScorecard stated that third party vendors account for 29% of all breaches detected by the company. Cybersecurity incidents at large vendors such as Change Healthcare (owned by UnitedHealth Group) in 2024 now regularly result in class action lawsuits with substantial fines, which will presumably increase the cost of delivering data. The external data ecosystem is connected in this sense, even if thus far regulation and private litigation have mostly impacted distributors (and not their customers). Fines and disputes will put pressure on the entire data supply chain to manage both upstream and downstream processing.

Data governance is lagging

Regulators of data buyers in the United States have generally been focused on the disclosure of material incidents and the adoption of reasonable policies and procedures to protect (sensitive) information. Many buyers of external data have policies and procedures that govern access, storage, deletion, and management of sensitive data. But these controls may not clearly distinguish any rules for external data from rules for the buyer’s internal data or regulated data, such as personal data. Data governance, including basic rules around access to external data, appears to be in its early stages at many data-buying firms.

Suggested cybersecurity practices for external data

Cybersecurity controls around external data have not garnered much attention at many firms, despite the recent fervor over generative AI tools, which drive data consumption. Here are three practices that data users and their vendors should consider which may better position their companies as cyber risk grows:

1. Conduct cybersecurity diligence - For particularly sensitive data or any relationship where data is shared in both directions (between the provider and buyer) as with some AI tools, specific diligence is reasonable. While many data providers are not collecting data from their end-users, these risks require direct inquiry. It is not yet common even at sophisticated firms.

2. Monitor vendors - Change Healthcare experienced a cybersecurity breach of staggering proportions in 2024. Informed users of this data were alert and took action.

3. Manage access, storage, and deletion - It seems unlikely that data users will be able to continue to grow their portfolios of external data provided by wide data supply chains without taking on some responsibility for the protection of this data, given regulatory fines and litigation. Some vendors are already requiring their clients to agree to contractual terms to protect licensed data and share risk.

Potential impact on insurance costs

Finally, data buyers and their vendors should both raise these controls in their negotiations with insurance companies for cybersecurity and privacy coverage. No doubt some savvy firms are already benefiting from reduced premiums and costs due to better practices in data governance. As with any risk mitigation, it is better to evaluate options before a cybersecurity incident occurs.

©2024 Glacier Network LLC d/b/a Glacier Risk (“Glacier”). This post has been prepared by Glacier for informational purposes and is not legal, tax, or investment advice. This post is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. This post was written by Don D’Amico without the use of generative AI tools. Don is the Founder & CEO of Glacier, a data risk company providing services to users of external and alternative data. Visit www.glaciernetwork.co to learn more.