[BreachExchange] Cybersecurity Risk: What does a 'reasonable' posture entail and who says so?

[Destry Winant]

https://www.ciodive.com/news/cybersecurity-risk-what-does-a-reasonable-posture-entail-and-who-says-so/559207/

Do you know where your data is? Is it "reasonably well" protected?

With data breaches making daily headlines, and hackers developing
innovative methods to penetrate cyber defenses, businesses must
contemplate what "reasonable" security posture to implement for when,
not if, a threat occurs.

Virtually all references to "reasonable security" are high level and
vague – the source can't possibly know the many environments that
exist. Instead, only generalizations and risk-based truisms act as
guides.

Additionally, the cyber risk lexicon differs depending on industry and
audience. Authoritative entities do not want to box themselves in with
a specific definition of what constitutes "reasonable" security, as
once that happens resources would be required to support that
position.

Alas, the status quo of vagueness continues (aka, the proverbial and
frustrating "it depends" response).

Determining a legal standard of reasonable cybersecurity

As data breach and cybersecurity incidents continue to rise, lawmakers
and regulators have responded with legislation and regulations
requiring companies to maintain a threshold of cybersecurity to
protect sensitive information. Regardless of origin, these new
policies all impose a minimum standard for "reasonable" cybersecurity
measures.

However, without a defined, coherent standard of care to reference,
companies are left wandering in the wilderness when it comes to
compliance with these often ambiguous laws and regulations.

In terms of establishing a standard of care to avoid negligence, like
in the wake of a data breach, the word "reasonable" is somewhat a term
of art that has evolved as technology advances. Courts commonly use a
"risk/utility" test to analyze whether a defendant's conduct was
reasonable and conformed to others similarly situated in the same
industry and if the potential harm outweighs the burden of
implementing the proper measures to prevent such harm.

At its core, the risk/utility formula seeks to determine if the burden
of putting adequate precautions in place is less than the potential
risk and gravity of injury.

Many companies take a cost adverse approach to cybersecurity, hoping
that by being on par with similar situated companies' cybersecurity
systems, that their measures will be seen as good enough. Yet with
data breach litigation increasing, this practice is nothing short of
risky as businesses are allowing a judge or jury determine the
reasonableness of its cybersecurity posture after an incident has
occurred.

A "reasonable" standard can't be established through marketing
campaigns touting the cybersecurity measures that are in place. After
a data breach in September 2017, shareholders brought a derivative
suit against credit reporting agency Equifax, Inc. alleging that it
committed fraud in connection with the data breach that resulted in a
loss in value of their investments.

Specifically, the shareholders allege that Equifax made multiple false
or misleading statements and omissions regarding the vulnerability of
its internal systems to cyberattack and its compliance with data
protection laws and cybersecurity best practices. The plaintiffs
further allege that Equifax had fraudulently stated that it "regularly
reviewed and updated its security protocols to ensure that they
continued to meet or exceed established best practices at all times."

The judge in the Equifax case found the allegations to be credible and
denied Equifax's motion to dismiss the ruling. The judge ruled that
the case must go forward to take a deeper look into the cybersecurity
measures that were in place at the time of the breach.

This case serves as a warning to businesses that have not conducted a
thorough review of their cybersecurity posture, but continue to market
themselves as cyber ready.

So what's the answer?

Without an exact definition of what "reasonable" security practices
entail, a simpler approach is to evaluate what constitutes a lack of
reasonable security. This approach makes it easier for an organization
to map data security protection efforts (including privacy and
resources) to a known framework.

By using the Center for Internet Security (CIS) Critical Security
Controls (CSC) as the overall cyber risk authoritative source, one
just needs to map any "reasonable" definition to those 20
specifications to attest to its validity and utility.

As major privacy laws are enacted, such as the EU's GDPR, and the
California Consumer Protection Act (CCPA), the residual risk
definition and determination has become even broader, covering more
requirements.

This affects what a reasonable security posture entails, upon which
privacy environments are built. Our recommendation to quantify what is
reasonable, and what is not, uses the California definition provided
in early 2016 by then Attorney General Kamala Harris. While not
directly applicable to other states, the recent CCPA law will apply
and the California Attorney General's "reasonable" definition will
likely be invoked in California court cases involving data breaches.

In 2016, Harris released the California Data Breach Report 2012-2015
which, among other things, states that, "the 20 controls in the Center
for Internet Security's Critical Security Controls define a minimum
level of information security that all organizations that collect or
maintain personal information should meet. The failure to implement
all the controls that apply to an organization's environment
constitutes a lack of reasonable security."

While the California AG's formal position is not codified, and
therefore not binding, this definition of "reasonable security" does
appear to strongly suggest that failure to implement all of the CIS
CSC that apply to an organization constitutes a lack of reasonable
security. Following the CIS CSC approach will codify an organization's
risk status based on a known, proven set of requirements that will
stand up well in virtually any dispute.

How does implementing the CIS CSC get the organization into a
"reasonably" safe and affordable risk posture and then sell that
minimal risk environment to company leadership? It codifies your
organization's success factors so you can clearly enable them and then
select an overall risk framework to assess your environment, determine
gaps and propose mitigations for those findings.

The NIST Risk Management Framework (RMF) is a good source for
enterprise risk management (ERM), whereas for cyber risks NIST's Cyber
Security Framework (CSF) is a solid choice. As for a cybersecurity
risk source, the CIS CSC gets you a clear two-for-one benefit – a
recognized authoritative source to map your security environment and
quantify risks, and a recognized methodology and approach to
demonstrate and provide a "reasonable and defendable security
posture."

There is minimal downside to using the CIS CSC as those security
controls are definitive and actionable from the start and provide a
foundational risk posture. That view will support any conflict
resolution venue and further the organization's risk management savvy
and expertise. Implementing the CIS CSC will show due care in any
conflict venue by demonstrating that your organization is practicing
cyber due diligence, even if not yet with a fully minimized risk
posture.