Cybersecurity Is An Urgent Priority
In 2017 Securities and Exchange Commision (SEC) settled a case with the investment advisory firm RT Jones. The company had suffered a data breach that compromised the personal details of nearly 100,000 people, just months before hackers breached the SEC’s own cyber defenses.
As long ago as 2015 former U.S. President Obama called cyber attacks a “national emergency.” Both houses of Congress and both major political parties agreed on the urgency of the cyber threat by nation-states and organized crime. Though they were able to pass a data-sharing bill that year, efforts to create a unified cyber security federal mandate have stalled since then.
The vacuum that federal inactivity on the topic has left the states to act. Half of the state governments have enacted laws that define behaviors and punitive measures to protect data and networks. The patchwork of cyber coverage complicates compliance for Chief Information Security Officers (CISOs) and increases risks for companies that work across state lines.
Meanwhile, Federal agencies have been working to protect themselves more effectively through mandates for its private contractors. Federal regulations that came into effect at the end of 2017 require companies bring their teams and subcontractors in compliance or risk a host of penalties.
Ad Hoc Federal Efforts
In early February 2018, Microsoft’s Senior Director of Trustworthy Computing, Paul Nicholas, called on the U.S. to replace ad-hoc efforts to address cyber threats by creating a “single national cybersecurity agency.” The Agency would consolidate key government functions related to information security and “ensure policies are prioritized across the nation.”
Currently, the Department of Justice has both the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). The Department of Homeland Security and the Office of the Director of National Intelligence (DNI) apply themselves to the Cyber Threat Intelligence Integration Center. Meanwhile, the Federal Trade Commision (FTC), the Secret Service and the National Institute of Standards and Technology (NIST) make occasional joint efforts to bolster the nation’s cybersecurity readiness. In February 2018, the Department of Energy (DOE) announced the establishment of the Office of Cybersecurity, Energy Security and Emergency Response (CESER). The DOE’s program intends to target energy infrastructure in the country.
The Best is Yet to Come?
The bloom of cybersecurity regulation was 2014 – 2015 when the magnitude of possible data breaches on the scale of Yahoo (3 billion customer records) and Equifax (143 million credit records) would be inconceivable.
In 2015 Congress was able to align intent with action to enact several measures.
The Cybersecurity Enhancement Act of 2014 provides an ongoing, voluntary public-private partnership to improve cybersecurity measures. The Act is also meant to fortify cybersecurity R&D, workforce development, education efforts, and public awareness and preparedness.
In October 2015, The Cybersecurity Information Sharing Act (CISA) was meant to improve cybersecurity measures in the country through enhanced sharing of information about cybersecurity threats. However, the scope of the Act only covers the sharing of internet traffic information between the U.S. government, technology companies, and manufacturers.
Federal Exchange Data Breach Notification Act of 2015 is a bill that requires a health insurance exchange to notify each individual whose personal information has been compromised. In the event cybercriminals have breached an exchange’s computer system, the exchange must contact customers no later than 60 days after it has discovered the breach.
National Cybersecurity Protection Advancement Act of 2015: This law broadens the Homeland Security Act of 2002. The Department of Homeland Security’s (DHS’s) national cybersecurity and communications integration center (NCCIC) expanded its non-federal representatives to include tribal governments, information sharing and analysis centers, and private entities.
Despite these laws, the question remains as to if and when Congress will enact a comprehensive policy that guides the cybersecurity of America’s commercial sector.
Cybersecurity Abhors a Vacuum
What Microsoft’s Paul Nicholas is alluding to in his the Microsoft white paper about overarching Federal cybersecurity regulation can be found in the European Union’s GDPR – General Data Protection Regulation. GDPR comes into effect in May 2018. The European regulation gives the European Commission the authority to fine companies a maximum of 4 percent of worldwide annual revenues or $23.8 million. The policy impacts American companies that have customers anywhere in the European Union whose records have been breached.
Without an overarching set of integrated cybersecurity laws that clearly and overtly protect consumers from data breaches, the Federal government has forced state governments to act. The vacuum of national policy places corporations that operate across states in a kind of “no-man’s land” of information and guidelines, populated with regulatory land mines. In short, the jumble of laws makes companies even more liable to lawsuits from consumers and local governments than they would be if there was a superseding set of policies, like the GDPR.
The states, for their part, have in earnest made efforts to protect their citizens by ensuring the liability for corporate data breaches lies squarely with companies. New York state is one of the most high-profile instances of one of its agencies placing the onus for cyber defenses squarely on organizations. The New York State Department of Financial Services (DFS) created a 14-page compliance handbook that details what financial services need to do to meet cybersecurity objectives. It does not direct organizations on how they need to meet the requirements, however. The regulation came into action in March 2017, with evidence of compliance due for DFS review annually.
Measures to Take
It may be some time before Congress is able to focus and align intentions to fortify consumers and organizations against cyber attack. 2018 is an election year with many seats in both Houses up for grabs. The attention of many congressmen will be on getting reelected. It’s more likely than not this year that companies will continue to try to build a coherent picture of their cyber responsibilities on a state-by-state basis. Nevertheless, companies should take several governance measures to reduce the risk of liabilities levied against them at the regional level.
Appoint a Cybersecurity Officer or Manager to take the lead and be responsible and accountable for ensuring that their employer is compliant with federal and local regulations related to cybersecurity. In smaller organizations, the Cybersecurity Officer should report to the owner or CEO of the company on at least a quarterly basis. The frequency of meetings should reflect the geographic scope over which the business operates and the related thicket of state-level cyber regulations with which it must deal.
Larger organizations need a C-level role to take the responsibility of shaping and mobilizing cyber defenses within the company. The Chief Information Security Officer (CISO) must provide the Board of Directors with the data and issues it needs to know about to make informed decisions about cybersecurity risks. New York State’s DFS cyber directive has the CISO reporting to the Board on an annual basis. This frequency of meetings may work for a single state; however, for operations that span several states, more meetings with the Board may be in order.
Further, the CISO should coordinate with the company’s legal department to ensure the organization is versed in state-by-state cybersecurity regulations and the impact they may have on the enterprise in case of a data breach.
It may also be in the company’s best interest to invest in cybersecurity insurance. Cybersecurity insurance is a fast-growing business in a world in which bad actors are becoming increasingly sophisticated in their attacks on company information systems, and ever more brazen.
Updates – July 2018
During the first half of 2018, the United States Congress has been busy crafting legislation that targets foreign product and services vendors that pose a cybersecurity risk to government agencies
Meanwhile, the Security and Exchange Commission (SEC) has released new guidance on cybersecurity policies and procedures for listed companies. The SEC released the Interpretive Guidance on Public Company Cybersecurity Disclosures on February 21, 2018. The guidance refers to the responsibilities of Boards of Directors to ensure enterprises are current in their planning for and response to cyberattacks that may cause material damage to investors.
According to The Legal Intelligencer, corporations must:
- Re-evaluate the process that the company’s board of directors uses to discharge its responsibility for cybersecurity risk oversight;
- Review the company’s policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures; and
- Consider whether the company’s cybersecurity risk factor and other disclosures need to be refreshed.
Like the New York State cybersecurity regulations for the financial sector, the SEC is placing responsibility on Boards for a listed company’s planning for and response to cybersecurity breaches. As the Intelligencer article states, “The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors.”
The SEC wants Boards to understand that enterprise cybersecurity is no longer just an IT department thing.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, Wireless/Copper Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information