On February 12, 2014, the White House unveiled its final Cybersecurity Framework 1.0 along with a new U.S. Department of Homeland Security (DHS) “Critical Infrastructure Cyber Community (C3) Voluntary Program.” This capped off a yearlong initiative led by the National Institute of Standards and Technology (NIST) in coordination with DHS, and is the result of a Cybersecurity Executive Order (EO) issued in 2013 by President Obama. The EO directed NIST and DHS to work with the private sector to create a Framework that includes tools to help companies address and mitigate cyber risks. The final Framework includes a series of modifications throughout the document: Appendix B, which in earlier drafts of the Framework addressed privacy issues, was removed in favor of a more holistic approach that does not conflict with existing privacy laws. Appendix C, “Areas for Improvement,” was also removed, but its content is anticipated to become part of an evolving effort by NIST to create a “roadmap” for discussion in the future. Language that identifies cybersecurity as an issue every company needs to address regardless of its size and/or level of “cyber sophistication” was added. It also clearly states that there is an expectation that companies will work within their own supply chains to address these risks with their suppliers.
DHS PROVIDES BACKGROUND ON THE NEW C3 PROGRAM
On February 19, 2014, DHS provided additional background on the new program. It will be used in coordination with the existing DHS Cyber Resiliency Review (CRR) process, which DHS has used to support organizations in connection to the cybersecurity framework. The CRR is a no-cost self-assessment organizations can download to understand their efficiencies and deficiencies. To date, DHS has conducted more than 330 CRRs focused on helping organizations know where they are in terms of the tenants of the cybersecurity framework.
Who Is Impacted By The Framework?
The misnomer is that the Cyber Framework only affects “Critical Infrastructure” entities, which, as defined by the Administration, include 16 sectors (banking and financial services, energy, transportation, water, food etc.). If your organization is publicly traded, does work with the federal government as a contractor, uses an online presence to sell a good or service and/or incorporates personally identifiable information (PII), the Framework will affect you. Supply chain issues are also part of this process, and for those who live in that world--information technology, industrial control systems (ICS) and communications sectors--they are impacted as well.
Six Emerging Cybersecurity Risk Factors: The “Perfect Storm?”
The parade of high profile cyber-attacks have created the “perfect storm” for potential new policy, legislative, regulatory and compliance issues by state, local and federal agencies. It is critical that entities understand how these issues come together. Yet, does any company have one person who ultimately understands how these emerging trends impact their business who can brief the C-Suite on these impacts? Here are six emerging external risk factors that every company should be aware of:
- Framework Implementation: The Administration, led by DHS, in conjunction with Sector-Specific Agencies (SSAs), will be working with companies to determine who will use the new Framework. The C3 program will be a tool that can be used to help companies navigate the process, but ultimately, there will be an evaluation on who is using it and if the voluntary program bolsters cyber defenses.
- Likelihood of New Regulations? The EO directed all regulatory agencies to review existing authorities to see if they have the authorities needed in the event the Administration decides to promulgate new regulations. The stated goal is to streamline existing regulations, however, there will be an obvious “honeymoon” period when the Administration will evaluate if the Framework achieves the ultimate goal of raising “cyber hygiene” and if not, could pursue new regulations. At the same time, independent regulatory agencies can make that determination now, and we are seeing movement there now.
- New Securities and Exchange Commission (SEC) Requirements? The SEC has been ramping up its oversight of cyber risk by “spot checking” companies’ filings, and the Chair has been clear this is priority. On March 26, the SEC will hold a cyber roundtable and how they may proceed on new potential requirements may be made clearer. A recent D&O Diary report stated that despite the majority of companies that say cyber could impact operations, only one percent of the Fortune 1000 reported an event, and only six percent reported having cyber insurance.
- New Federal Trade Commission (FTC) Authorities? The FTC has initiated enforcement actions and litigation against a host of entities, including Wyndham Hotels. The commission claims Wyndham’s failure to protect their own networks caused fraudulent charges to consumers accounts, stating “… the repeated security failures exposed consumers’ personal data to unauthorized access.” The FTC is also concerned about cybersecurity and the use of mobile devices, another emerging area of concern in the government.
- New Cybersecurity and Data Breach Legislation: While cybersecurity legislation previously stalled, this Congress continues to move cyber bills, with the most recent action in the House Homeland Security Committee. The Target and Neiman Marcus breaches have caused a flurry of new data security bills to be introduced as well as a call for increased regulatory authority to be given to the FTC. Whether data security or broader cybersecurity bills move first, they will be vehicles for each other in this Congress.
- New State Cyber Laws? State and local governments are also expressing increased concerns over cyber risks to the companies in their respective states. At the same time, some states like Virginia are already moving forward to adopt the Framework, others like Maryland are debating bills to require all companies to adopt the Framework, and California and Hawaii have begun reviewing how to use the Framework.
What Do Companies Need to Do?
Every company manages risk—on company operations, reputational harm, impact on customers and the bottom line – very differently and in a way that meets its respective needs. The Administration is concerned about the resulting impact on the nation in the event of a catastrophic cyber attack—whether that means someone successfully attacks an electrical grid or steals hundreds of millions of people’s personal information. Can these interests meet in the middle? Companies need to quickly integrate cybersecurity concerns in a holistic risk management structure that brings together all of the disparate parts of their decision making trees—just as the government will begin assessing whether or not the voluntary Framework can work, or if new regulations are needed. The current risk landscape dictates that cybersecurity issues and concerns are here to stay. The best strategy to protect shareholders is one that includes a comprehensive evaluation of how each of these issues, integrated together, impact your company and ultimately creating a strategy to engage in the decision making process as a means to manage what may ultimately be new policy, legal and regulatory compliance issues.