Well-coordinated cyber attacks against American interests are increasing in number, frequency and sophistication, as are the costs to businesses related to such attacks. Sony Pictures, Home Depot, Anthem, Target Corp. and the U.S. Office of Personnel, to name just a few, have all been the target of recent cyberattacks. The authority to regulate corporate cybersecurity continues to evolve as it tries to balance consumer and corporate privacy interests and keep pace with changing technology. The Obama Administration’s response to the growing threat has been to move cybersecurity to the top of its 2015 agenda; last February, the President announced a new intelligence unit, the Cyber Threat Intelligence Integration Center, to coordinate analysis of cyber threats. The new agency is modeled on efforts to fight terrorism and is tasked with improving coordination among the other government agencies already responsible for cybersecurity, including the National Security Agency, Department of Homeland Security, FBI and the U.S. military’s Cyber Command.
Other agencies, including the FTC, FCC, DHHS, SEC, FINRA and FFIEC, have stepped up their own cybersecurity activities, especially in the payments, banking and healthcare industries. Just recently, in Wyndham Hotels v. Federal Trade Commission, the Third Circuit Court of Appeals upheld the FTC’s power to go after corporations for failing to take adequate measures to protect customer information from data breaches. Many are calling on Congress to get involved too – by providing a more comprehensive legislative answer to the threat. While Congressional action may be a tall order in the near-term, especially in an election cycle, individual states, such as New York and Massachusetts, are taking the lead on cybersecurity enforcement.
So, what can your organization do to prepare for this increased regulatory focus on cybersecurity? Here are five steps every organization should consider:
1. Assess Your Risks
As the Wyndham and other recent cases demonstrate, to credibly defend a cybersecurity program in court or to government investigators, management needs to have considered the company’s cyber risks and taken reasonable steps to mitigate those risks. Taking a data inventory – to classify and quantify data and identify the types of data that would be most damaging if lost or stolen – is one of the first steps to assessing cyber risk. Another critical component is having a clear picture of the physical and technical security features and controls already in place, and determining whether those controls adequately meet your needs. Critical business systems must be mapped to identify how and where data is entering the company, where data is being stored, who has access to data and what is being done to secure the data.
2. Review Data Security Policies and Procedures
Security policies and procedures are the vehicles through which an organization communicates its security goals, objectives and tactics to employees to address specific security vulnerabilities. While many organizations have checked the box on creating data security, privacy and retention policies, too frequently they are placed on a shelf and forgotten. Some may have been written for a paper dominated world; others may simply be out of date or didn’t anticipate the technological advances of mobile devices, personal notebooks, malicious malware and cyber espionage. To maintain relevancy, management must instill a continuous process within the organization to evaluate the adequacy of existing security policies and update them relative to the current risks faced by the organization. While policy reviews can be time consuming, especially in technology rich environments, it is critical to maintaining defensibility. Management should prioritize policies and assign periodic review cycles at predetermined intervals – typically annually, semi-annually or quarterly, depending on the risk.
3. Review Vendor Agreements
Third party vender agreements are frequently cited by regulators and courts as a point of vulnerability. Agreements may date back years and didn’t contemplate the cyber threats facing businesses today. If so, you may need to force renegotiation of a new agreement and not simply allow them to auto-renew. For today’s threats, vendor agreements need well-drafted provisions on data security, privacy, control of data, data preservation and the process by which third party requests are handled. Agreements may need to call out specific data control features, such as access controls and authorizations, encryption protocols, intrusion detection, vulnerability scanning and firewall protection protocols. Advance thought must also be given to incident response, business continuity and disaster recovery procedures to clearly define the parties’ responsibilities and liabilities in the event of a data breach. And, negotiation of meaningful audit rights is critical to validate that vendors are doing what they said they would do. Where the complexity of an agreement doesn’t warrant renegotiation, consider adding an addendum that covers privacy, confidentiality and security issues.
4. Review Data Breach Response Plans
With the list of tech savvy companies hit by cyberattacks growing, a data breach may be inevitable for many. Costs to businesses from a typical data breach can easily run into the millions of dollars for forensic investigations, consumer notifications, credit monitoring, legal fees and regulatory penalties. Add reputational damage and potential shareholder action – and the stakes for any data breach are high indeed. How a company responds to a security breach is frequently looked at by regulators and courts in assessing liability and penalties. Consequently, in the midst of a security crisis, is not when you want to be figuring out your response plan. Having a well thought out response plan allows you to move quickly to prevent additional data loss, protect consumer interests and hopefully mitigate your liability.
For a response plan to be effective, management needs to think about and understand the potential business impacts and chain of events that could result from a data breach. The plan should include technical response procedures designed to assess, contain and preserve evidence related to the incident, as well as notification steps to internal teams, customers and law enforcement, as appropriate. The response plan should also establish a multidisciplinary response team to handle overall management and coordination of the organization’s response efforts, with team members drawn from the executive team, legal department, operations, IT department, customer care, communications and HR.
5. Document the Steps Taken
When a breach occurs, it may ultimately be a court or jury determining if a company met its responsibilities to adequately protect consumer information. Even the best laid plans to protect against cyber-attacks won’t stand up to judicial or regulatory scrutiny unless you have documented the steps your company has taken to secure data. Businesses that can show that they’ve thought about the risks, created and maintained reasonable policies and procedures to protect against the risks, and provided employees with appropriate tools and training will be in the best position to defend the company from liability and penalties.
Preparing your plans for cybersecurity can be overwhelming. These 5 steps can help your organization head down a path of preparedness and defensibility. Here at Viewpointe we assist our customers to help them better understand their information landscape, access risk and prepare for the future. If you have any questions, or would like to speak with one our experts, please contact us.