9.19 – SSI – Ken Kirschenbaum
There’s eventually going to come a day when customers won’t do business with you unless you take proper cyber-precautions.
Cybersecurity is a hot topic and security systems and equipment are right in the middle of the issue. It’s not going to be long before customers are letting you know that unless you use secure encryption in equipment that stores, processes or transmits data, and allow third-party cybersecurity review (monitoring and inspection that complies with “industry guidelines”), they can’t do business with you.
Those of you doing business with the government already experience this. Try providing security to a defense contractor without ensuring encryption services and external compliance audits.
SecureXperts is among the industry leaders in providing guidance and technical baselines that reduce the risk of cybersecurity breaches and attacks. The company’s president and CEO, Darnell Washington, is a recognized expert in this area and advises that there are two industry sources for guidelines.
Encryption services meeting high level requirements are available for cameras and access control equipment and systems as well as other IoT and network-connected physical security devices.
Ensuring that your equipment complies with cybersecurity guidelines is going to cost money, a cost you will be passing on to your subscribers who will insist on this level of cyber protection.
I may be jumping the gun, but the Commercial All in One agreement (alarmcontracts.com) has been updated, subject to further revision, to include the following RMR item:
(i) CYBER SECURITY: COMPLIANT ENCRYPTION: Subscriber agrees to pay ALARM COMPANY the sum of $_________ per month for the term of this agreement for cybersecurity encryption services as specified in the Schedule of Equipment and Services. Cybersecurity compliance and conformance programs include guidelines in Underwriters Laboratory 2090 Cybersecurity Assurance Program or the National Institute of Standards and Technology Cybersecurity Framework. Encryption services are currently available for installation, inspection and monitoring of camera and access control equipment that meets Advanced Encryption Standard specifications for encryption of electronic data established by the U.S. National Institute of Standards and Technology, UL or any other established criteria for encryption.
Though your contract will provide a layer of protection against claims for cyber breach, you would be wise to carry insurance for cyber claims. It’s likely that your alarm E&O policy does not have this coverage.
Not only do you need to ensure that your contracts are appropriate, but that your insurance is as well. Security America, launched through the Electronic Security Association (ESA) in 2004, offers cyber coverage as a part of its package.
Security America and its partners have helped clients handle more than 5,000 data breaches, allowing the company to learn a few things about identifying and reducing risk. That wisdom is passed on to alarm companies in addition to the insurance coverage.
The result is a cyber insurance that keeps alarm companies protected and provides valuable risk management to help minimize data breaches and incident management when they do occur.
You are going to be hearing a lot more about cybersecurity, things you can do to protect against it, for yourself and your customers, and how to protect yourself contractually and with insurance coverage. Eventually this isn’t going to be optional, so get onboard now.
KEN KIRSCHENBAUM, SSI Contributor
Security Sales & Integration’s “Legal Briefing” columnist Ken Kirschenbaum has been a recognized counsel to the alarm industry for 35 years and is principal of Kirschenbaum & Kirschenbaum, P.C. His team of attorneys, which includes daughter Jennifer, specialize in transactional, defense litigation, regulatory compliance and collection matters.