In my April column, I explored how corporate executives can use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to develop enough non-technical expertise to successfully navigate key cybersecurity risk management concepts. Not surprisingly, federal regulatory agencies have found the Framework useful too. So how might the work of two federal agencies in particular result in broadly adopted cybersecurity standards and practices, all without the passage of new legislation, rules or regulation?
The Federal Trade Commission Wins Big
The FTC has become the nation’s leading force to drive and enforce consumer privacy. Still, it was not without controversy when the FTC, without first defining “reasonable” security, began to bring more and more cases against companies for failing to “reasonably” secure consumer information. One company fought back, arguing in part that the FTC violated “basic principles of fair notice and due process” by holding companies to standards without any “rules, regulations or other guidelines explaining what data-security practices the Commission believes [the law] to forbid or require.”
In early April, a federal district court considered the argument and then issued a resounding victory for the FTC. The court held that the FTC must be allowed “flexibility” in bringing unfairness claims, and accepted the notion that the body of consent decrees entered into between the FTC and industry help define what is “reasonable” data security. As a result of this decision, should the FTC begin referencing the NIST Framework in future consent decrees, the Framework very well might become the legal standard of reasonableness for all U.S. cases involving consumer privacy.
In early May, the FTC’s Chief Administrative Law Judge held that in an enforcement action the FTC must disclose “what data security standards, if any” it has published and intends to rely upon to demonstrate that a company’s data security practices are not reasonable and appropriate. The FTC has suggested that, at a minimum, every company should expect to be judged by a 2011 FTC business guidance brochure as well as against whatever industry guidance sources the particular company has adopted for itself.
Meanwhile, the FTC Commissioner recently testified before Congress, recognizing that “there is no one-size-fits-all data security program.” Coming as quite a relief to many, the Commissioner acknowledged that perfect security is not at the heart of the reasonableness test, assuring weary businesses reeling from unrelenting hackers that “the mere fact that a breach occurred does not mean that a company has violated the law.”
SEC Starts Asking Questions
The odds are high that this year your company will have to answer at least one cybersecurity questionnaire. Companies are asking their third party vendors to describe their cybersecurity practices; law firms and auditors are stressing the need for companies to conduct cybersecurity due diligence prior to any merger or acquisition; and, insurance carriers are asking questions about network security practices and risk culture in order to determine eligibility and pricing for cybersecurity insurance.
On top of it all, this past April the SEC announced its intent to examine at least 50 registered broker-dealers and investment advisers to determine their “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.” The SEC also published a sample list of 28 requests for information that it “may use” when conducting its exams. Highlights include:
- A copy of the firm’s information security policy and business continuity of operations plan;
- A description of any potentially moderate or high-risk assessment findings that have not been fully remediated;
- Procedures for assessing cybersecurity risks posed by vendors and business partners.
Yet, the most significant aspect of the sample document request may be about its potential adoption by industry. The SEC is marketing the list as “intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness” and, by extension, to assess the preparedness of third parties. Should industry voluntarily adopt all or part of the list (for example, during vendor contracting or preceding corporate transactions) the SEC very well could change the face of cybersecurity due diligence.
Although NIST prepared a voluntary cybersecurity framework, it would be a mistake to think that the government is waiting patiently for companies to adopt risk-based cybersecurity measures. With the FTC and SEC taking over where NIST left off, the government’s influence can extend quickly and dramatically.
About the Columnist:
Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, and network security pen-testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at firstname.lastname@example.org. You can follow him on Twitter @StevenChabinsky.