With the number of data breaches continuing to mount, regulators were very active in policing cyber risks in 2014. Given the current cyber risk landscape and the fact that regulatory intervention in cyber security and privacy issues is one of the few areas of possible cooperation across the political aisle, U.S. companies should expect regulatory oversight to expand significantly over the next several years.
The most positive regulatory development of the past year was likely the renewed push for cyber risk information sharing between the U.S. government and the private sector. Broadly, information sharing improves cyber security by setting up dedicated public-private centers where national intelligence entities, law enforcement, and the private sector can quickly and securely share information on cyber threats, attacks, and trends.
Information sharing and analysis organizations (ISAOs) have been around for more than a decade, but have recently come back into focus as concern over national security cyber threats mounts in Washington. Recent hearings before the Homeland Security and Governmental Affairs Committee preceded the February 2015 announcement by President Obama of a new, over-arching information sharing entity called the Cyber Threat Intelligence Integration Center, with a $35 million budget and direct oversight from the Director of National Intelligence.
Organizations need to incorporate best practices of working with various ISAOs and sharing cyber threats externally into their internal cyber processes. Legal counsel should be consulted, as the legal protections for sharing sensitive information are still in flux.
Many regulators consider the growing tide of cyber incidents to be more of an abdication of corporate responsibility than a threat to national security. Fair or not, this perspective is resulting in increased regulatory activity among both traditionally and newly active cyber regulators. Such regulatory investigations represent a significant challenge for companies not only in terms of money, but also of time, resources, and distractions.
Last year saw continued growth in both the scope of cyber regulatory investigations and the resulting penalties doled out by the two most active federal regulators – the Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC).
In May, the OCR announced that its largest fine ever, $4.8 million, was levied against a hospital for a violation of the Health Insurance Portability and Accountability Act (HIPAA) affecting 6,800 individuals. The OCR also expanded its scope by regularly investigating breach and control failures unrelated to the actual breach investigation and smaller breach incidents affecting fewer than 500 individuals that were previously unreported. All of this is part of the “aggressive” stance OCR states it intends to take on
privacy issues. For its part, the FTC announced its milestone 50th data-breach settlement last year and stated its intent to continue actively seeking to investigate and penalize corporations for data breaches.
Regulatory activity was also significant last year at the state level. In California, for example, the Department of Public Health announced a record 22 settlements in 2014, and, with eight settlements so far in 2015, is on pace to exceed that number. State attorneys general (often working together as multi-state task forces) were also aggressive in their investigations of large data breaches, even for breached entities with only limited activities in their state. Further, attorneys general in New York and Washington introduced state legislation to expand requirements for cyber event reporting and strengthen their ability to investigate.
At the same time, other regulators that have traditionally been less active in regulating cyber activity have put new focus on the risk. The Federal Communications Commission, for one, announced a $10 million fine last year against two regional telecoms for failing to properly secure customer information. And the Federal Financial Institutions Examination Council, which has previously established cyber security standards for banks and credit unions, launched a pilot audit program last summer that reviewed the cyber security of more than 500 institutions.
Although cyber regulation may be inevitable, the risks associated with regulatory oversight can be managed. Preparation is key.
From a practical standpoint, CFOs should keep the following in mind:
• Cyber risk cannot be left to the IT department. Regulators expect board-level oversight and engagement of resources throughout the organization to prepare for cyber risks. Even if information technology doesn’t fall under the CFO’s purview, cyber risk is now an enterprise-wide risk that will require a CFO’s attention.
• Cyber risk management means looking beyond just prevention of attacks and focusing on assessment, preparation, and response. Many cyber regulators focus as much time on how an organization prepared for and responded to an event as they do on the circumstances that allowed the event to occur. That means organizations should put added diligence on ongoing assessment and audit capabilities. They should also increase their focus organizational resilience, including disaster recovery, business continuity planning, and incident response.
• Cyber security is no longer strictly an internal issue. Organizations should integrate outside stakeholders, like law enforcement, regulators, and cyber security resources into their cyber risk management framework. Business-partner management is also a critical concern, since many cyberattacks target resources may be outside a company’s direct control.
• Risk transfer should be part of the risk management approach. While regulatory risk can be managed through controls, policy, and procedures, it cannot be eliminated. Cyber insurance allows organizations to transfer some of the residual regulatory risk, including legal costs and regulatory penalties, off the balance sheet. Moreover, regulators are beginning to view cyber insurance as an indicator of an organization’s cyber risk maturity and as reassurance that sufficient assets and expertise will be brought to bear should an incident occur.
Tom Reagan is the Cyber Practice Leader at Marsh USA.