Cybersecurity has become a dominant topic of the day. The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected. Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable.
In many respects, however, the concept of cybersecurity is not new. Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls. Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and the Gramm-Leach-Bliley Act (GLBA) addresses financial information. Add to those statutory regimes the U.S. Federal Trade Commission’s (FTC) enforcement authority over corporate information security practices pursuant to Section 5 of the FTC Act (recently upheld in Federal Trade Comm’n v. Wyndham Worldwide Corp.) and certain state-based data security regulations that require corporations to safeguard personal information (e.g., 201 CMR 17.00, et seq.). The net effect of these regulatory drivers is that many organizations have focused for decades on developing administrative, physical and technical safeguards for effective protection of personal information – resulting in a programmatic approach to information security.
Now, along comes the evolution of cybersecurity with its own emerging standards. Organizations are asking themselves whether they need to do something different or in addition to the programmatic steps already taken to comply with information security requirements that are applicable to the organization. The good news is that while some additional work likely will be required as described below, companies with solid programmatic approaches to information security are well on their way to meeting the following emerging cybersecurity standards.
NIST Cybersecurity Framework
On February 12, 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.” The Executive Order has several key components, but most importantly, it contains a requirement for owners and operators of “critical infrastructure” to develop a cybersecurity framework. The Order directed the National Institute of Standards and Technology (NIST) to develop a baseline cybersecurity framework to reduce cyber risks to critical infrastructure. NIST subsequently developed its “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was released on February 12, 2014. The goal of these efforts is to provide organizations with a cybersecurity framework as a model for their business. While at this point, the Framework is intended to provide a voluntary program for owners and operators of critical infrastructure, it is already starting to seep into federal “incentives” used to encourage the private sector to comply with the Framework. And the Framework itself may evolve into a sort of “security” standard of care.
SEC Cybersecurity and Disclosure Laws
In addition to the Framework, the U.S. Security and Exchange Commission (SEC) recently held a roundtable on cybersecurity to explore whether the current SEC guidance on cybersecurity is working and how it could be improved. SEC Chairwoman Mary Jo White has emphasized that the SEC’s 2011 guidance makes clear that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed.” After wrestling with what disclosures the SEC should require, SEC Commissioner Louis Aguilar recently stated “There is no doubt that the SEC must play a role in this area. What is less clear is what that role should be.” He proposed the creation of a cybersecurity task force to advise the Commission on its future demands and disclosure requirements. It is clear that the SEC is struggling with its role in cybersecurity incident response and how to guide without being too proscriptive.
Recommended Next Steps for Companies
Against this backdrop, companies in any industry trying to make sense of what they should do next with respect to cybersecurity and its emerging standards should consider taking the following next steps:
Assign an accountable function to become knowledgeable about the NIST Framework and related ongoing governmental developments;
Use the Framework’s recommended approach to undertake a review of the company’s infrastructure and security protocols;
Examine the company’s existing security protocols (for example, those instituted in response to requirements for the protection of personal data) and develop a current profile of the company’s existing security posture;
Establish the overall desired security objective – in other words, where the security profile should be in light of the company’s industry, type of information processed and other relevant factors;
Develop a gap analysis of action steps needed arrive at the desired objective;
Prioritize those actions steps, available resources and an appropriate timeline;
Where possible, use the language of the Framework and its approach because even if the Framework is voluntary at this point, that Framework could become the standard by which companies are measured going forward.
It is increasingly clear that the issue of cybersecurity is no longer limited to traditional notions of information security designed to protect personal information. Rather, cybersecurity is about protecting all types of confidential information — as well as a company’s infrastructure — against unpredictable cyber threats. This can be new, developing, and difficult to predict. But one thing is clear: Information security is just one side of the security coin that companies must manage. Cybersecurity is the other, with a different focus, different emphasis and, in time, different regulatory expectations and requirements.