In interviews with CSO, Jacob Olcott, who manages the cybersecurity practice at Good Harbor Security Risk Management, and Lisa Sotto, chair of the global privacy and cybersecurity practice at Hunton & Williams, commented on the case.
"It's a significant development because auditors and security technology companies have never previously faced liability for failing to detect or mitigate breaches. It certainly raises the bar for auditors, who may modify their auditing practices to enhance the scrutiny of the companies they audit," said Olcott.
Some assessors are more "check the box" and less rigorous, while others are extremely thoroughly, Sutto said. Less diligent QSAs will sometimes cut corners in order to keep prices competitive. "The QSAs would be wise to pay attention to this and to ensure that there's appropriate rigor in their assessments," Sotto added.
"The cost pressure results in probably less time than may be needed to do an appropriate assessment."