By Mary Beth Borgwing and Tom Lahiff
This summer did you buy an ice cream cone at a roadside stand with a bankcard? Enter a corporate challenge run for charity? Adjust the air conditioning? Buy school supplies for your children?
If you did any of those things, you risked an unauthorized disclosure of your personally identifiable information to cyber thieves.
Malware was installed on point-of-sale devices at Dairy Queen stores, resulting in the theft of customer credit and debit card information. Cyber hackers breaching JPMorgan Chase’s Corporate Challenge website gained access to the names, addresses, telephone numbers and e-mail addresses of participants. A malware phishing attack mailed to Target’s HVAC firm resulted in the exposure of credit card and personal data of 110 million Target customers. Card stealing malware has apparently been installed on POS devices at some Staples locations in the Northeast, resulting in fraudulent transactions at non-Staples retailers.
The approaching Holiday Season and arrival of Black Friday is not just the busiest time of the year for retailers, it is also a time for increased activity by cyber thieves looking to steal the credit and debit card and personally identifiable information of millions of consumers who are shopping, unaware of the risk of a cyber security breach.
An independent survey for GFI Software reveals that seven in 10 businesses have been severely disrupted or completely halted as a result of a spam attack. As in the case of Target, criminals are using spam to deliver malware payloads that manage to breach the corporate firewalls.
A white paper by corporate recruiter DHR highlights a survey of non-executive directors and CEOs: 78 percent list IT risk management as one of their top three management issues. But only 25 percent said that their organization had a detailed risk-management response plan.
The Wall Street Journal’s Dan DiPietro has reported that the cost of cyber attacks has doubled in the just the past four years.
SETTING THE STAGE
Threats are everywhere and reports of major information security breaches appear in the media almost daily. These high profile breaches are grabbing the attention of Congress and the President, and calls by consumer advocates for increased regulation are not going unnoticed.
The FDIC Chairman, Martin Gruenberg, in a speech to the American Banker Regulatory Symposium, stressed that cyber security is “the most urgent category of technical challenges facing banks”. In his view, and the view of most regulators, cyber security is not just an IT issue but also a risk management issue that needs to be “engaged at the highest levels of corporate management”.
Following up on earlier guidance about disclosure of cybersecurity risks, on April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert notifying firms that it will conduct IT security examinations of more than 50 registered broker-dealers. The SEC is delivering a message that asset managers and brokers as well as retail banks should be alert to hackers penetrating their networks and stealing customer data.
SEC Chair Mary Jo White, a former US Attorney for the Southern District of New York, says the commission’s jurisdiction is “focused on the integrity of market systems, customer data protection, and disclosure of material information”. SEC staff has developed and released a cybersecurity document to help compliance professionals assess their firm’s state of readiness.
Secretary of the Treasury Lew, speaking before the Institutional Investor’s 4th Annual Conference, urged the financial sector to improve cybersecurity by using the framework published by NIST. He also urged Congress to pass comprehensive legislation to improve information sharing while protecting consumer privacy.
New York state’s Superintendent of Financial Services, Benjamin M. Lawsky, has sent a letter to dozens of banks requesting that they produce “any policies and procedures governing relationships with third-party service providers” and that they describe “the due diligence processes used to evaluate” the security procedures of all vendors. He is also considering a new rule requiring banks to obtain “representations and warranties” from vendors about the adequacy of their controls against hackers.
Sens. Rockefeller and McCaskill have both urged renewed focus on a federal data privacy bill, an issue that seemed to have slipped down the list of Congressional priorities. Senators Blumenthal and Markey have written to Federal Trade Commission Chair Edith Ramirez requesting an investigation into the Home Depot breach. The FTC is already aggressively charging companies with unfair and deceptive practices for failing to protect customer data and is negotiating settlements from their corporate targets.
LEGISLATION
In addition, for the past several Congressional terms, the House and Senate have been sparring on how best to address cybersecurity issues. The White House has expressed frustration with the failure of the Congress to agree on a bill that balances cybersecurity and privacy. The President has threatened to veto any bill that in the administration’s view fails to protect consumer privacy.
Two of the more significant bills pending in Congress are the Cyber intelligence Sharing and Protection Act, HR 624, introduced by Representative Rogers, Chairman of the House Permanent Select Committee on Intelligence, and the Cybersecurity Act of 2013, S 1353, introduced by Sen. Rockefeller. Rogers and Rockefeller are retiring this term and even though both bills have significant bipartisan support in their respective chambers it is difficult to anticipate what will happen to these bills when the new Congress convenes in January 2015. It is likely that some member will accept the challenge to craft a cybersecurity bill.
Two other major pieces of legislation, with significant bipartisan support, were introduced this term by Representative McCaul, Chairman of the House Committee on Homeland Security. Chairman McCaul’s bills are The National Cybersecurity and Critical Infrastructure Act, H.R.3696 and the Cybersecurity Enhancement Act of 2013, H.R. 756. Representative McCaul has introduced those bills in several Congresses and, assuming he is re-elected, he is almost certain to introduce them again.
THE FRAMEWORK
In the meantime, the National Institute of Standards and Technology is grinding on, responding to President Obama’s Executive Order Number 1363 and Presidential Directive, both issued on February 12, 2013, directing NIST to publish a framework for improving critical infrastructure security.
On February 12, 2014, NIST issued its final framework and companion “Roadmap for Improving Critical Infrastructure Cybersecurity”. An update to the roadmap was issued in early October.
The framework is composed of three components: the Framework Core, the Framework Implementation Tiers, and Framework Profile. The Framework Core consists of five “concurrent and continuous Functions” that NIST has concluded provide a strategic view of a company’s management of its cybersecurity risk. Each of these five Functions has a number of key Categories and Subcategories.
The Framework then identifies Implementation Tiers that categorize a company’s existing Core Functions over a range of four states from Partial (Tier 1) to Adaptive (Tier 4).
The Framework Core is the foundation for the Framework Profile that describes the company’s current state, the desired target state, and a gap analysis designed to identify the cybersecurity risk management objectives to help the company reach the target state.
The Cybersecurity Framework Reference Tool is designed to assist companies in understanding the Framework and its standards, guidelines and best practices for cybersecurity risk management. In addition, NIST has set a goal of publishing a series of components for the Identity Ecosystem Framework, with a self-assessment and self-attestation program to be released early in 2015.
The Update also identifies NIST’s work on supply change risk management, by mapping relevant standards, best practices, and guidelines to the Framework Core, and identifying key challenges and strategies.
The NIST Framework is an overly complex document with its categories and functions and standards, tiers, and guidelines, which probably explain why the Update contains a Reference Tool to help risk officers better, understand the Framework. The important thing to keep in mind is that the Framework is designed to help companies evaluate their cybersecurity readiness and to measure individual companies against their industry peers and to provide a roadmap for moving your cybersecurity readiness from Partial to Adaptive. Also, NIST is working to provide a similar tool to map relevant standards and identify key challenges.
THE SMB CHALLENGE
The adoption of a single standard and framework becomes even more challenging when you take into account that 99.7 percent of US companies are small and medium-sized businesses (SMB) and are challenged to staff risk management and technology infrastructure, and understand what cyber risk means to their companies.
SMBs create over 60 percent of all new US private sector jobs and produce over 47 percent of the country’s Gross National Product (GNP). Essentially they control our information and data supply chain as well as our intellectual property.
The SMBs are the supply chain to the Fortune 500 in most cases and are involved as a partner, supplier and vendor when information is breached or compromised. The security of an SMB is important to its customers, whose data it must protect, and to its partners within the supply chain, who have an expectation that their business affiliates have implemented effective information security safeguards. These business partners want to ensure that their systems are not put at risk by connecting to those of any other business.
Some SMBs may have agile and robust infrastructure to manage security threats and events however this group of SMBs may not be the norm for their peers.
Based upon this vulnerability and the crucial role they play in the supply chain SMBs are a target to cyber criminals. The SMBs need to understand their vulnerabilities and play a role in a common framework for cyber risk that is “right sized” to their resources and needs.
Larger organizations are being targeted more often than SMBs and the financial impact on the larger organizations is staggering, looking at the event count frequency and the dollars spent on detection, remediation and making their customers financially whole once they understand “who did what to whom”. These organizations mostly buy cyber insurance policies with large limits and the ability to pay reporting fines and fees; however this is not the case yet for SMBs. The mainstream SMB is learning about cyber security from the headlines and assumes this is a Fortune 1000 company issue.
When buying insurance goes mainstream into the SMB market the cyber risk ecosystem will take a shift into risk accountability of where data assets and intellectual property is owned. Larger organizations are looking to promote this risk accountability with programs and risk ratings using third party liability programs. The SMBs will be scrutinized by their larger partners as to their abilities to manage cybersecurity risks. As Superintendent Lawsky is considering a rule to impose on financial institutions he regulates a requirement that they obtain “representations and warranties” from their vendors, more and more large non-financial organizations will begin requiring similar “representations and warranties” from their suppliers and vendors.
The SMBs need to be educated as they are being breached often and need to establish a risk mitigation and management framework within their companies for their own protection as they are a major part of the US supply chain and infrastructure senior management and members of the board will not be able to ignore the NIST guidelines. Class action lawyers will eventually begin to seek discovery whether a defendant is adopting the standards and where it fits on the scale of readiness.
***
Tom Lahiff is a general counsel and corporate secretary at a security monitoring and cyber threat intelligence firm with Fortune 500 clients: negotiated sale of company to Big Four accounting firm. Senior corporate counsel at a leading global bank, representing the firm in litigation matters and government investigations; responsible for instituting corporate e-discovery program and training, including vendor selection process. Consultant and subject matter expert at a Big Four accounting firm: worked with financial services and energy, transportation, and medical device clients on e-discovery and information management programs. Expertise in aligning information management and e-discovery programs and reducing legal expenses.
