Firms expect greater government cybersecurity oversight

The U.S. Senate recently proposed a cybersecurity disclosure bill that would require public companies to describe what cybersecurity expertise their boards have, or, if they don't have any, what steps the companies are taking to get some expertise onto their boards

The U.S. Senate recently proposed a cybersecurity disclosure bill that would require public companies to describe what cybersecurity expertise their boards have, or, if they don't have any, what steps the companies are taking to get some expertise onto their boards.

"It seems like a pretty simple and straightforward bill," said Chris Wysopal, CTO and CISO at Veracode. "It doesn't have anything onerous except some disclosures about the board. To me, it has a chance of passing."

The bill fits neatly into some research that Veracode conducted with the New York Stock Exchange, in which a surprising 90 percent of corporate board members said that regulators should hold businesses liable for breaches if they were negligent with customer data or failed to have reasonable security in place.

"But there's no clear guidance from the SEC or the FTC about what is reasonable security practices," he said. "Boards want to see more clarity there."

[ ALSO ON CSO: Legislation requiring tech industry to report terrorist activity may be revived ]

Companies already have many reporting and compliance requirements that impact spending on cybersecurity. In fact, according to a survey released just this week by the Ponemon Institute, the need to comply with privacy or data security regulations was the single biggest driver of the use of encryption technology.

There are already numerous federal laws and individual state disclosure requirements, but as the breaches keep coming, security experts expect that the amount of oversight will only continue to increase.

Take the Securities and Exchange Commission, which has recently been stepping up its cybersecurity-related activity.

In 2011, the SEC issued guidance requiring publicly traded companies to report cybersecurity risks alongside other kinds of material risks.

Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyberrisk Services

"For listed companies, the guidance that was provided in 2011 is still the main focus that most are still using as a baseline," said Peter Dugas, managing director of government affairs at FIS’ Center of Regulatory Intelligence at FIS Global

For example, companies need to report if there are aspects of their business or outsourced functions that create cybersecurity risks, if they've had security incidents that have had impact on the company, and even the potential risks of long-term undetected attacks.

But the guidance leaves a lot open to interpretation.

There is a lack of clarity, said Sara Romine, attorney at Carrington, Coleman, Sloman & Blumenthal, L.L.P.

"We know that you don't have to disclose vulnerabilities so that you would be providing hackers information on where the company is vulnerable," she said. "But you know that you have to disclose enough that investors appreciate the nature of the risks facing the company. So where do you draw the line? How much do you have to disclose?"

And should a company report a data breach when it's not required to under other regulations, she asked.

"That is an area that I think the SEC will become even more interested in," she said. "If it's reasonably likely that a breach will lead to reduced revenues or have a material impact on the business, there would be some reporting obligations."

In the last couple of years, however, the SEC has turned its focus on Wall Street institutions.

For example, the SEC recently indicated that they were going to look at how brokerages are managing third-party risk, such as that from purchased software or cloud-based services.

"We're seeing that this is a new trend, and an important one," said Wysopal. "We're seeing more and more stuff moving to the cloud and being managed by third parties."

Last February, the SEC conducted a cybersecurity sweep examination that determined that 88 percent of broker-dealers and 74 percent of registered investment advisers had suffered cyberattacks either directly or through their vendors.

In the fall, the SEC announced that it will do a second round of examinations of financial services firms focusing on a number of cybersecurity topics including vendor management.

According to the SEC's Office of Compliance Inspections and Examinations, other areas of focus include governance and risk assessment, access controls, data loss prevention, training, and incident response.

"We expect continued scrutiny of the areas covered in past years, with new emerging risk areas being evaluated," said Glenn Siriano, financial services leader for KPMG Cyber at KPMG.

Those new areas include emerging technologies, new external threat vectors, deeper assessments of third-party vendors, usage of social media, and managing insider threats, he said.

And the SEC has been moving beyond conducting inspections and issuing guidance, said Dave Mahon, CSO at CenturyLink.

"They're beginning to get a better understanding that this is a bigger problem," he said. "They're trying to get their hands around it, and you're starting to see more audits."

For example, he said, there was the recent enforcement action against RT Jones, a regional investment company that had a breach that exposed client brokerage records.

In that case, the brokerage was fined $75,000 because for nearly four years the firm failed to adopt any written policies or procedures to ensure the security of personally identifiable information and to protect it from unauthorized access.

The SEC is adding teeth to its enforcement, confirmed Ernest Badway, co-chair of the securities industry practice at law firm Fox Rothschild LLP

"There have been several enforcement actions against a variety of broker dealers, investment advisers, and funds," he said.

The SEC's core objective is to protect retail investors, said Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyberrisk Services at Deloitte & Touche LLP

"So investment firms, asset management firms, are likely to be the first wave of people who are likely to be examined," he said.

That will be the focus of the additional testing that is likely to take place this year, he said. But it won't stop there.

"In the end, this is all a push to raise the bar on cybersecurity across all institutions," he said.

While the regulators and legislators continue to struggle with the issue, the third branch of government, the judiciary, is also stepping up -- and may have an even bigger effect.

"When you see the board being sued for negligence, the board of directors is beginning to realize that that this is part of their governance and fiduciary relationships," said CenturyLink's Mahon.

"Things have changed a lot on the board level after the Target breach," said Torsten George, vice president of global marketing and product management at RiskSense. "It was a watershed event. The court sided with the consumers, and the court also sided with the consumers on the Windham Hotel suit. it also had major impacts on boards. those boards suddenly woke up."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about CenturyLinkCSODeloitteFTCKPMGSECSecurities and Exchange CommissionWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts