How To Protect Your Company From Cyber Regulatory-Enforcement: Part 1
As written For NetworkWorld & CIO.com
A lot has changed in the world of cyber regulation over the past few years. In September of 2013, the FTC pursued its first action against an IOT (internet of things) company. A year later they aggressively began aggressive foreign and cross border cyber enforcement. In October of 2014, the FCC joined other regulators and began their enforcement of data security failures. September of 2015 brought the widely reported SEC administrative proceeding against RT Jones for violating the “Safeguard Rule” in failing to establish and implement written cyber protection policies. Next was Morgan Stanley. In March of this year the CFPB brought its first action in the form of a consent order against a company pre-emptively without the assistance of any breach trigger. And just this past week, the New York DFS proposed new cyber guidelines for financial institutions.
At this stage, the future of cyber enforcement has been clearly painted. It’s likely safe to expect that the list of regulators will continue to grow along with their security requirements, as enforcement continues to increase and fines and penalties become more severe. In order to protect themselves, organizations and their executives need to develop cyber frameworks and internal security environments that are living, breathing and constantly evolving, both to adequately protect against outside threats and in order to meet the increasing demands of regulators. They must also ensure their cyber insurance policies provide sufficient coverage for regulatory proceedings and associated penalties.
When controls fail and security incidents occur, it goes without saying that investigations and fines are close behind. In fact, some actions are pre-emptive in nature (as mentioned above) commenced without any breach occurring. A review of the FTC’s cyber enforcement actions, effectively demonstrate that regulatory enforcement is not limited solely to Fortune 500 companies – there are many “smaller” companies included on that list. The most common causes of enforcement actions revolve around:
- Security Failures, and failure to protect employee data: The most commonly referenced violations included; misleading statements and misrepresentations regarding the adequacy or extent of security measures taken, failure to properly secure data, security vulnerabilities related to mobile applications, failing to encrypt data and/or employ SSL, and failure to adopt written policies.
- Deceptive privacy practices & unauthorized collection of information: As discussed each year at privacy-con, privacy disclosures and information acquisition have been a topic of much debate. The most commonly cited wrongful actions related to privacy policies included: improper use of cookies to track or gather information, blatant disregard of published policies, privacy policies that did not adequately reflect actual usage, and inadequate software descriptions among others. In terms of data acquisition/usage and violations involving deceptive practices related to that information, violations tended to revolve around: deceptive collection of information and misrepresentations including collection of information without disclosing the intent or scope of collection, deceptive “opt-in” practices, and improper usage of software or software “extensions”.
- Failure to abide by foreign and cross-border privacy rules: Cross Border and foreign cyber regulation appears to be a growing area of interest for the FTC. Since the FTC’s initial action against American Apparel in May of 2014, the agency immediately followed with enforcement against an additional 14 companies, with violations against another 15 companies a few months later. Most of those actions were for violations of the US-EU safe harbor rule.
A compliant cyber program is multi-faceted, ever changing and continually expanding. In order to prevent your organization from becoming the target of a cyber regulatory action, companies should: 1) have an established cyber security/governance framework with documented policies and procedures, 2) incorporate periodic assessments through white hat stress tests to evaluate the efficiency of implemented controls, and 3) establish and monitor metrics in order to gauge the efficiency of adopted security controls. Most importantly (among other items), these policies and procedures should include the following:
- Appointment of a qualified chief officer to implement, oversee and manage the cyber security environment and documented policies.
- Implementation of basic security controls such as antivirus software, firewalls, SSL, access rights and multifactor authentication.
- Documented vendor qualification to ensure all outside providers and 3rd party vendors have sufficient cyber controls in place.
- Compliant data collection policies & disclosures. These policies should clearly disclose the companies’ policies on the collection, acquisition, use and sharing of confidential information. All “opt-in”, and opt-out” policies should be accurate and adhered to, and any changes in those policies should be promptly and properly communicated
- Secure document identification and management. This entails ensuring data is securely stored, properly encrypted, properly transmitted and adequately disposed of.
- Employee training. With a large percentage of breaches resulting from employee errors, sufficient training is becoming more important than ever, especially to protect the organization against phishing attacks and social engineering attacks which are becoming highly sophisticated in both their timing, execution and methods. Employee training should address, among other items: verification of email authenticity and wire instruction orders, password setting and security, identification of email phishing schemes and other suspicious activity.
- Maintaining proper backups and restoration procedures of both critical user data, and software, etc.
- Controlling and Monitoring Physical access: Ensuring employees are supervised when accessing secure areas and employing key card systems that maintain access logs. Organizations should also verify the identity of all outside 3rd party inspectors, maintenance workers, and IT professionals. For investment/financial firms and public companies, software should also be implemented to track suspicious behavior.
- User Management & Access: This includes implementing strong password policies, requiring password refreshes, reviewing access privaledges, requiring the installation of software updates and more.
- Formal, documented Incident response plans to ensure that all breaches are disclosed in a timely manner with proper action taken. Organizations should be familiar with the varying notification laws in the states/countries in which they operate. Remedial action should include making necessary improvements to your cyber security framework, improving policies and procedures, and updating hardware/software in order to prevent a future breach or violation.
- Lastly, when all else fails, the last line of defense is a cyber insurance policy. The regulatory defense coverage clause maintained within many cyber policies, was initially born with the intent of providing coverage primarily for PII related breaches and the follow up PCI investigations and fines that followed as a result. Over time however, that clause has been expanded significantly and has received a great level of grooming to appropriate it for a greater range of regulatory actions including those encountered by financial/service firms and public companies alike. A typical regulatory insuring clause will provide coverage for:
“….Claim expenses and regulatory damages that an insured incurs responding to any regulatory proceeding first made against the insured and reported during the policy period resulting from a privacy or security wrongful act…”.
Like all professional and management liability policies, cyber insurance policies lack any form of standardization and are mazes of very specific verbiage requiring careful navigation in order to arrive at a proper translation. Many of the details lie in the definitions (as bolded above). Insuring agreements pulled from policy specimens from some of the largest insurers yielded considerable verbiage differences with greater coverage implications. It is important that organizations engage in a dialogue with their brokers to understand those definitions and the extent of coverage afforded. Some of the more important items of review include:
- Ensure “wrongful acts” are not limited solely to “a breach of privacy laws” or “failure to notify of a data breach incident”, those are just 2 of many wrongful acts that should be included. In addition, acts of rogue employees and service providers should also be included.
- With many enforcement actions naming principals/executives, it is important to ensure the definition of “insured” is inclusive of the entity, any domestic/foreign subsidiaries (if intended) and all CISO’s, CTO’s, foreign equivalents and any other parties for whom coverage is intended.
- With defense costs accounting for a large portion of the damages sustained and fines expected to increase, organizations should carefully review the definition of “claim expenses” and “regulatory damages” to ensure the defense coverage is sufficient and that the policy affirmatively provides coverage for fines and penalties.
- Ensure the policy does not limit “privacy events” solely to theft or unauthorized access of PII (personally identifiable information). PHI (health information) and CCI (corporate confidential information) should also be included.
- Buyers should seek trigger language that allows coverage at the earliest stage of an investigation or action. Cyber insurance policies should allow coverage to be triggered by requests for information, investigative demands and regulatory proceedings – any policies that require a “formal suit” should be avoided.
- Ensure the definition of “computer systems” is not limited to leased/owned computers or those solely in control of the organization. Computers in the care/custody of service providers should also be included.
The cyber security environment is fast moving and companies need to be both proactive, reactive, and a bit creative when it comes to managing that risk. Organizations should also maintain a wide peripheral view in order to understand the sources of security incidents (and available remedies) within their industry. While the potential for regulatory enforcement actions are always possible, often, simply implementing strong controls, ensuring transparency and employing a common-sense approach when reacting to security breaches, can significantly minimize the likelihood that the regulators will come knocking.