As businesses struggle to sort through the dizzying array of new requirements, common ground is emerging that may pave the way to a more secure future
Written by Eben Kaplan
Cyber risks are nothing new; companies have been getting hacked for decades. But in recent years, the scale, sophistication, and relentlessness with which businesses have become inundated with incursions—or attempted incursions—into their networks have ballooned. Headline-grabbing breaches have become increasingly common, thrusting major companies into crisis. And across industry, senior executives and boards of directors are scrambling to make sure they are not next.
Corporate executives are not the only ones spurred to action by growing cyber risks. Around the world, governments are beginning to hold organizations accountable for securing their networks and the data they host. But the exact regulatory requirements are not always clear, and they can vary from jurisdiction to jurisdiction or even from one regulatory agency to another.
Just consider the regulatory environment in the United States, where three federal agencies—the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the Federal Communications Commission (FCC)—all assert their authority to sanction companies for lax information security. The FTC requires companies to take “reasonable” security measures, particularly around the protection of consumer data, but does not explicitly define what constitutes reasonable protection. The Securities and Exchange Commission has held financial sector companies accountable for poor cybersecurity and telegraphed its intentions to ramp up enforcement.
Last year, the SEC announced it would begin interviewing broker-dealers and investment advisors about their information security practices, including the use of a sample questionnaire that offers insights into what SEC regulators believe is necessary. In the communications sector, the FCC began to flex its own regulatory muscle last fall, sanctioning a pair of telecom companies that were charged with mishandling customer data. Like the FTC, the FCC does not have an explicit set of requirements, but the FCC Chairman has indicated that the Commission would use the recently published Cybersecurity Framework from the National Institute of Standards and Technology (NIST) as its guide.
And that’s just at the federal level. At the state level, 47 of the 50 US states have enacted breach notification laws that require companies to inform individuals when their personal information has been compromised. But the requirements vary from state to state, often adding to the headaches of firms in the aftermath of a breach.
Regulators aren’t the only ones pressuring companies to better manage cyber risks. Companies are increasingly holding each other to account as well. Following a series of high-profile breaches in which attackers used third-party vendors’ networks as the entry point to their eventual targets, many companies have begun scrutinizing the service providers allowed on their own networks. This due diligence can take many forms, ranging anywhere from questionnaires to network inspections to requiring certification to a particular industry standard.
Meanwhile, heightened awareness of cyber risk has sent many companies scrambling to purchase insurance to at least transfer some of their risk. According to one market survey, the cyber insurance market grew 30 percent in 2013, and another 50 percent in 2014. As companies purchase insurance, they are being asked to complete questionnaires or subject themselves to more rigorous reviews of their information security practices.
Much like the regulatory landscape, there is little uniformity in the standards to which companies hold each other. Keeping track of the various public and private sector criteria—even on a small scale—is challenging. For large companies with a global footprint and thousands of client relationships, it can be dizzying.
If there is any consolation, it is that even though companies are held up against multiple yardsticks, a consensus is beginning to emerge around the broad principles of what is necessary to properly manage cyber risks. At the core of this consensus is the recognition that cybersecurity is not simply a technology problem. Although cyber risks have a technical nexus, managing those risks involves processes and governance that cover a much broader swath of an organization. A good information security program will do the following:
- Identify the organization’s most important assets. Networks are inherently vulnerable and security budgets are finite. By identifying what matters most, organizations can be more strategic about where to prioritize their defenses.
- Understand the threat. Not all organizations are exposed to the same levels of risk. A specific understanding of the kinds of threats an organization faces and the potential consequences should those threats materialize allows a company to make more risk-informed decisions.
- Recognize the business context. Cybersecurity does not occur in a vacuum; efforts to manage cyber risks can often butt up against business interests and the bottom line, but security lapses can also have dire consequences. Companies should determine how much risk they are willing to tolerate and strike the appropriate balance.
- Plan ahead. Every network is penetrable; breaches are inevitable. What a company does to detect a breach and how it responds when one is detected can have a tremendous impact on the ultimate outcome. Once the plan is written, test it with an exercise.
Cyber due diligence requires thinking more like a potential attacker than an auditor; it is about process rather than checking the box. Much of that process involves questions about corporate strategy that should ideally be addressed by an organization’s senior leaders.
If there is any silver lining to the growing wave of cyber threats, it is that corporate leaders are increasingly focused on managing these risks and setting the tone for the rest of the organization. Keeping track of different requirements from various partners and regulators will remain a challenge, but companies that have sound fundamental practices in place will typically clear whatever bar has been set.