The steady stream of high-profile data breach incidents we’ve seen over the last few years makes one thing clear: cyber risk is a serious concern for virtually any enterprise. Disruption of day-to-day business operations and damage caused by the exposure of critical intellectual property or consumer information are just a couple of examples of potential fallout from an information security incident, not to mention a tide of expensive and embarrassing litigation and the possibility of damaging regulatory inquiries or compliance actions.
Federal agencies extend their reach into cybersecurity
Not convinced? One need only look at the breadth of publicly disclosed document requests from the Federal Trade Commission (FTC) in response to recent data breaches to get a sense of the entirely new level of scrutiny regulators are focusing on information security risk management practices following a serious breach incident. Other federal agencies like the Securities and Exchange Commission (SEC) and the Commodity Futures Trade Commission (CFTC) are also extending their reach by issuing new guidance regarding cybersecurity. Even congressional committees are getting into the act.
Here’s a telling example: In a recent case involving an alleged violation of Section 5 of the FTC Act, the agency requested a stunning range of documents to assess the sufficiency of the defendant’s information security practices, including all “communications … about any security incident at any point in time,” all “forensic reports or analyses relating to any security incident” and all “external vulnerability scans provided to the company.”
Another example: In the wake of the notorious incident in which 70 million records were stolen from Target in November and December 2013, the House Committee on Energy and Commerce sent the company a letter giving it eight days to produce all “written policies or guidelines relating to threat monitoring, network security or point-of-sale system protection … from January 1, 2012 to the present” and all “e-mail correspondence, analyses, reports or any other communications relating to the Kaptoxa malware or to point-of-sale system security or any other information security systems implicated in this breach.”
Think about how your organization would respond to requests like these. Then consider the cybersecurity initiative recently published by the SEC’s Office of Compliance Inspections and Examination (OCIE), providing a sample list of “requests for information” the agency says it could use in conducting examinations of broker-dealers and registered investment advisers on cybersecurity issues. Among the specific sample requests are:
- A copy of the firm’s written information security policy
- Documentation of periodic risk assessments, including responsible parties and findings
- Identification of “published cybersecurity risk management process standards” used to model the firm’s information security architecture and processes
- Documentation of practices surrounding online account access by customers
- Documentation of cybersecurity risk assessments of vendors and business partners
For its part, the CFTC has released a set of recommendations for developing, implementing and maintaining a written information security and privacy program, including:
- Designation of a specific employee “with privacy and security management oversight responsibilities”
- Design and implementation of policies and procedures for responding to an incident
- Identification of “all reasonably foreseeable internal and external risks to security, confidentiality and integrity of personal information”
- Regular testing of the safeguards’ “controls, systems, policies and procedures” and maintaining a written record of their effectiveness
- Testing of the safeguards by an independent party at least once every two years
- An annual assessment of the program to be provided to the Board of Directors
How does your organization measure up against these guidelines? If the answer is “not so well,” you’re not alone. Cybersecurity is a relatively new challenge, and many organizations still lack a detailed, formal program for mitigating information security risk that goes beyond IT and involves collaboration with legal and other key business functions.
On the bright side, the process of developing a unified risk management program is often a valuable opportunity for companies to accurately analyze the true risks—and ultimately, the costs—involved in major initiatives.
How to respond now: Establish a unified risk management program
Get proactive about cyber risk management. Being proactive means you approach the problem as more than a compliance issue or “check-the-box” exercise. Instead, the goal is to develop a risk profile through an examination of the actual risks that stem from the unique characteristics of your business. Even if you already have a robust information security management program, proactive risk management will help you understand whether you should be doing more and how you can reprioritize security spending for optimal effectiveness. Generating detailed responses to the following questions should be a good start:
- What critical data should you be most focused on protecting?
- What are the specific threats to each type of critical data?
- What is your organization’s vulnerability to those specific threats?
Align legal and IT security before an incident occurs, because a lack of communication, cooperation and shared accountability among departments in the incident response process can exacerbate the damage of a breach event. Even IT staff and consultants who are trained in incident response may not understand the importance of creating a detailed, defensible record of response measures that will help address subsequent legal and compliance challenges down the road.
Embrace a risk management philosophy based on convergence among multiple business functions to effectively manage sophisticated cyber threats. In conducting workshops for companies seeking better ways to manage cyber risk and respond to incidents, we’ve found that the best approach is to bring leaders from legal, IT, corporate security and risk management together for an open dialogue. For example, in a recent engagement with a large financial services firm, we found that by bringing leadership together we were able to illuminate specific risks associated with third-party service providers based overseas and take the necessary concrete steps together as a team to assess and mitigate those risks.
Incorporate cyber risk assessment into your company’s strategic planning process so you can quickly and effectively assess the risks involved in new opportunities, such as a potential merger or acquisition, a venture into a foreign market where data protection laws are less robust or the release of a new web-based service to improve speed to market and maximize profit opportunities. Providing the key business executives with actionable intelligence regarding the nature of previously unknown risks can have a material impact on your approach to closing a transaction.
The Benefits of Planning
The pressure on attorneys and compliance staff to get a handle on information security risks has reached unprecedented levels. There is, however, a clear path to mitigation, and it begins with the recognition that all stakeholders need to come together to define the organization’s true risk profile and develop an effective—and defensible—cyber risk management plan.
Careful, unified risk management planning will not only help your organization identify business strategies and tactics that are unreasonably risky, it will also position you to move ahead promptly with transactions or other initiatives that might have foundered if risk analyses were performed independently by separate departments.
