Everyone talks about cyber-security—and now, for the first time in ages, somebody might actually do something about it.
Washington has seen a spasm of attention on the subject lately, both in the halls of Congress and at the Securities and Exchange Commission. Most likely we will first see some sort of legislation passed by Congress to, among other things, clarify breach disclosure requirements. And some regulatory smoke signals suggest the SEC may also be ready and willing to reconsider its approach to cyber-security disclosures.
The SEC last addressed cyber-security in a substantive way in 2011, with staff guidance prodding companies to disclose information about cyber-attacks, both in terms of risk exposure and post-breach affects, that a “reasonable investor would consider important to an investment decision.” For Management Discussion & Analysis, the guidance recommends disclosing cyber-security risks and incidents if they materially affect operational results, liquidity, financial condition; or cause financial information to not be indicative of future operating results.
That guidance, however, lacked the gravitas of formal rulemaking. It left most decisions on what and when to disclose in the hands of issuers. Direct correspondence to specific companies, usually in response to media coverage of a breach, has been the SEC’s go-to move for demanding more detail in post-breach disclosures.
Congress, meanwhile, has not done much on cyber-security in years. Beyond industry-specific requirements for healthcare and banking, most disclosure requirements have been dictated by state governments, leaving compliance departments stuck in a patchwork of various disclosure regimes across the nation.
Now change may be afoot. One recent hint was dropped courtesy of Smeeta Ramarathnam, chief of staff to SEC Commissioner Luis Aguilar. At the annual RSA security conference in April, she spoke of how the “SEC is about to enter a time of great change, when the disclosure rules will be changed.” As the SEC conducts a sweeping review of its disclosure regime, cyber-security is one area where new disclosures could be added, she said. In recent public statements, SEC Chairman Mary Jo White has also suggested that any new regulation in cyber-security would likely come as part of that review.
David Glockner, director of the SEC’s regional office in Chicago, recently addressed the enforcement side of matters. “This is an area where we have not brought a significant number of cases yet, but it is high on our radar screen,” he said at the Practising Law Institute’s annual SEC Speaks conference. “We are paying attention to a number of issues, including the adequacy of registrant cyber-security controls.” The SEC is also looking at “the adequacy and timeliness of corporate disclosures concerning material cyber-security risks and events,” he added.
“This is an area where we have not brought a significant number of cases yet, but it is high on our radar screen. We are paying attention to a number of issues, including the adequacy of registrant cyber-security controls.”
David Glockner, Director, Regional Office, SEC
Glockner stressed that the Enforcement Division works closely with the Office of Compliance Inspections and Examinations. That division, and its cyber-security focus on financial firms, offers a peek at what broader requirements for all registrants might look like.
In guidance issued on April 28, the SEC’s Division of Investment Management informed broker-dealers, investment advisers, and investment funds that they will be required to regularly test and maintain written policies on cyber-security, including: procedures for third-party vendors; employee training; and security procedures and controls. It dovetails with the OCIE’s guidance from April 2014 and a subsequent examination sweep.
The SEC and other regulators should focus on a better definition of what constitutes “reasonable security measures,” says Jim Wiltraut, director of federal government relations for the law firm Buchanan Ingersoll & Rooney. Before companies and privacy advocates sign onto any legislative or regulatory plan, he says, that crucial phrase must be clearly defined. He likens the challenge to similar definitions needed for money-laundering or bribery controls. “If you weigh the amount of risk versus the preemptive actions you took, you can compare and contrast,” he says. “Was that approach reasonable given that you had a billion in assets you were trying to protect?”
“There should be minimum standards for what that security should be across the board,” says Jasper Graham, former technical director at the National Security Agency and now senior vice president at Darktrace, a cyber-security firm. “If banks built their buildings out of straw, they would be held liable if they were robbed. The same should be applied to networks that house important data.”
Another important debate is when to disclose a breach. “It’s easy to say it should be immediate, but if you are actively hunting down the perpetrators, especially if you are working with law enforcement, you could tip your hand,” Graham says. A premature announcement could scuttle attempts to prosecute hackers.
Congress is considering different approaches to this dilemma. The Senate’s Data Security and Breach Notification Act would require consumer notification within 30 days of a breach discovery. A similar bill with the same name in the House requires companies to have “reasonable security” measures and to notify the government and affected consumers 30 days after the breach has been stopped and remedied.
Any new SEC rule on cyber-security would likely stick with the agency’s traditional approach of disclosing data to the investing public. Legislation in Congress, however, would go further and create a means for companies to share information with each other and the government.
The following is from recent cyber-security guidance issued by the Security and Exchange Commission’s Division of Investment Management.
In the staff’s view, there are a number of measures that funds and advisers may wish to consider in addressing cyber-security risk, including the following, to the extent they are relevant:
• Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cyber-security threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cyber-security risk. An effective assessment would assist in identifying potential cyber-security threats and vulnerabilities so as to better prioritize and mitigate risk.
• Create a strategy that is designed to prevent, detect and respond to cyber-security threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.
• Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cyber-security policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.
The Protecting Cyber Networks Act would allow direct, voluntary information sharing between a company and a federal agency. The National Cyber-Security Protection Advancement Act would designate the Department of Homeland Security as the clearinghouse for reports (as does an executive order issued by the Obama Administration in February). The Cyber-Security Information Sharing Act, already passed in the House and in the hands of the Senate, encourages private companies to share information with government agencies by providing legal immunity when that data includes personally identifiable information (PII). Ensuring that PII is not compromised and that companies have liability protection are crucial, Graham says: “You need to know you are then not going to be punished for trying to do the right thing.”
“The concern companies have in sharing cyber-security information across the private and public sector is that we worry about liability, intellectual property protection, and protecting confidential business information,” says Hari Ravichandran, CEO of Endurance International Group, a website-hosting company. “Folks always want to do the right thing and keep the bad actors away, but if you don’t have a framework that protects their business interests it is very difficult to be forthcoming and share information.” Having a legal framework that offers those protections is crucial, he says.
Another means to share cyber-security information could be a version of the Suspicious Activity Reports that are already a fact of life for financial firms, says Austin Berglas, head of the U.S. cyber-investigations for the security firm K2 Intelligence.
“Regulators would need to further refine what would trigger a SAR, but the existing format could be changed to make it a ‘cyber-SAR,’ which would collect information such as attack indicators and attacked domains, and it would have a section on the tools, techniques, and procedures of the adversary,” he says. “That information is gold for the government to review and get a better understanding of what is happening out there.”
The Obama’ Administration’s proposed Personal Data Notification and Protection Act puts the Federal Trade Commission on the frontline of cyber-security efforts, supersedes existing state laws, and requires any business that “uses, accesses, transmits, stores, disposes of, or collects” the personally identifiable information of more than 10,000 customers in a 12-month period to report any compromise of that information within 30 days of a breach. The FTC would have the authority to provide an exemption to that notification if the post-breach investigation assures it that no measurable harm was suffered.