[BreachExchange] How to shield your company from cyber enforcement

[Audrey McNeil]

http://www.networkworld.com/article/3128763/leadership-
management/how-to-shield-your-company-from-cyber-enforcement.html

A lot has changed in the world of cyber regulation. September 2015 saw the
widely reported SEC administrative proceeding against RT Jones for
violating the “Safeguard Rule” in failing to establish and implement
written cyber protection policies. Next was Morgan Stanley. And this past
March the Consumer Financial Protection Bureau (CFPB) brought a pre-emptive
action against a company that hadn’t even had a breach.

At this stage, it’s safe to assume the list of regulators and their
security requirements will continue to grow and fines and penalties will
become more severe. In fact, just last week the New York Department of
Financial Services (DFS) proposed new cyber guidelines for financial
institutions.

In order to protect themselves, organizations need to develop cyber
frameworks and internal security environments that are living, breathing
and constantly evolving, both to adequately protect against outside threats
and in order to meet the increasing demands of regulators. They must also
ensure their cyber insurance policies provide sufficient coverage for
regulatory proceedings and associated penalties.

When controls fail and security incidents occur, it goes without saying
that investigations and fines are close behind. A review of the FTC’s cyber
enforcement actions, demonstrate that regulatory enforcement is not limited
solely to Fortune 500 companies – there are many “smaller” companies
included on that list. The most common causes of enforcement actions
revolve around:

Security failures, and failure to protect employee data: The most commonly
referenced violations included: misleading statements and
misrepresentations regarding the adequacy or extent of security measures
taken, failure to properly secure data, security vulnerabilities related to
mobile applications, failing to encrypt data and/or employ SSL, and failure
to adopt written policies.

Deceptive privacy practices and unauthorized collection of information. The
most commonly cited wrongful actions related to privacy policies includes
improper use of cookies to track or gather information, blatant disregard
of published policies, privacy policies that did not adequately reflect
actual usage, and inadequate software descriptions, among others.  In terms
of data acquisition/usage and violations involving deceptive practices
related to that information, violations tended to revolve around: deceptive
collection of information and misrepresentations, including collection of
information without disclosing the intent or scope of collection, deceptive
“opt-in” practices, and improper usage of software or software “extensions.”

Failure to abide by foreign and cross-border privacy rules: Cross Border
and foreign cyber regulation appears to be a growing area of interest for
the FTC. Since the FTC’s initial action against American Apparel in May of
2014, the agency immediately followed with enforcement against an
additional 14 companies, with violations against another 15 companies a few
months later. Most of those actions were for violations of the US-EU safe
harbor rule.

In order to prevent your organization from becoming the target of a cyber
regulatory action, companies should: 1) have an established cyber
security/governance framework with documented policies and procedures, 2)
incorporate periodic assessments through white hat stress tests to evaluate
the efficiency of implemented controls, and 3) establish and monitor
metrics in order to gauge the efficiency of adopted security controls. Most
importantly, these policies and procedures should include the following:

Appointment of a qualified chief officer to implement, oversee and manage
the cyber security environment and documented policies.
Implementation of basic security controls such as antivirus software,
firewalls, SSL, access rights and multifactor authentication.
Documented vendor qualifications to ensure all outside providers and 3rd
party vendors have sufficient cyber controls in place.
Compliant data collection policies & disclosures. These policies should
clearly disclose the companies’ policies on the collection, acquisition,
use and sharing of confidential information. All “opt-in”, and opt-out”
policies should be accurate and adhered to, and any changes in those
policies should be promptly and properly communicated.
Secure document identification and management. This entails ensuring data
is securely stored, properly encrypted, properly transmitted and adequately
disposed of.
Employee training. With a large percentage of breaches resulting from
employee errors, sufficient training is becoming more important than ever,
especially to protect the organization against phishing attacks and social
engineering attacks which are becoming highly sophisticated in both their
timing, execution and methods. Employee training should address, among
other items: verification of email authenticity and wire instruction
orders, password setting and security, identification of email phishing
schemes and other suspicious activity.
Maintaining proper backups and restoration procedures of both critical user
data, and software, etc.
Controlling and Monitoring Physical access: Ensuring employees are
supervised when accessing secure areas and employing key card systems that
maintain access logs. Organizations should also verify the identity of all
outside 3rd party inspectors, maintenance workers, and IT professionals.
For investment/financial firms and public companies, software should also
be implemented to track suspicious behavior.
User Management & Access: This includes implementing strong password
policies, requiring password refreshes, reviewing access privaledges,
requiring the installation of software updates and more.
Formal, documented Incident response plans to ensure that all breaches are
disclosed in a timely manner with proper action taken. Organizations should
be familiar with the varying notification laws in the states/countries in
which they operate. Remedial action should include making necessary
improvements to your cyber security framework, improving policies and
procedures, and updating hardware/software in order to prevent a future
breach or violation.

Lastly, when all else fails, the last line of defense is a cyber insurance
policy. The regulatory defense coverage clause maintained within many cyber
policies, was initially born with the intent of providing coverage
primarily for PII related breaches and the follow up PCI investigations and
fines that followed as a result. Over time, however, that clause has been
expanded significantly and has received a great level of grooming to make
it appropriate for a greater range of regulatory actions, including those
encountered by financial/service firms and public companies alike.

A typical regulatory insuring clause will provide coverage for:

“….Claim expenses and regulatory damages that an insured incurs responding
to any regulatory proceeding first made against the insured and reported
during the policy period resulting from a privacy or security wrongful
act…”.

Like all professional and management liability policies, cyber insurance
policies lack any form of standardization and are mazes of very specific
verbiage requiring careful navigation in order to arrive at a proper
translation. Many of the details lie in the definitions (as bolded above).
agreements pulled from policy specimens from some of the largest insurers
yielded considerable verbiage differences with vast coverage implications.
It is important that organizations engage in a dialogue with their brokers
to understand those definitions and the extent of coverage afforded. Some
of the more important items of review include:

Ensure “wrongful acts” are not limited solely to “a breach of privacy laws”
or “failure to notify of a data breach incident,” those are just two of
many wrongful acts that should be included. In addition, acts of rogue
employees and service providers should also be included.
With many enforcement actions name principals/executives, it is important
to ensure the definition of “insured” is inclusive of the entity, any
domestic/foreign subsidiaries (if intended) and all CISO’s, CTO’s, foreign
equivalents and any other parties for whom coverage is intended.
With defense costs accounting for a large portion of the damages sustained
and fines expected to increase, organizations should carefully review the
definition of “claim expenses” and “regulatory damages” to ensure the
defense coverage is sufficient and that the policy affirmatively provides
coverage for fines and penalties.
Ensure the policy does not limit “privacy events” solely to theft or
unauthorized access of PII (personally identifiable information). PHI
(health information) and CCI (corporate confidential information) should
also be included.
Buyers should seek trigger language that allows coverage at the earliest
stage of an investigation or action. Cyber insurance policies should allow
coverage to be triggered by requests for information, investigative demands
and regulatory proceedings – any policies that require a “formal suit”
should be avoided.
Ensure the definition of “computer systems” is not limited to leased/owned
computers or those solely in control of the organization. Computers in the
care/custody of service providers should also be included.

The cyber security environment is fast moving and companies need to be both
proactive, reactive, and a bit creative when it comes to managing that
risk. Organizations should also maintain a wide peripheral view in order to
understand the sources of security incidents (and available remedies).
While the potential for regulatory enforcement actions are always possible,
often, simply implementing strong controls, ensuring transparency and
employing a common-sense approach when reacting to security breaches, can
significantly minimize the likelihood that the regulators will come
knocking.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161007/ca35d699/attachment.html>