At a recent cybersecurity conference in New York City, there was a sterling panel of attorneys and executives from almost every branch of the federal and New York state governments who somehow touch upon the topic of cybersecurity. This included representatives from the Securities and Exchange Commission (SEC), the Federal Bureau of Investigation, the U.S. Attorney’s office for the Southern District of New York, the Federal Trade Commission, and the New York State Department of Financial Services (NYDFS). Rarely do you see every one of these agencies and departments on the same panel, let alone in the same room.
This impressive mix of individuals provided useful guidance on the nature, extent of, and enforcement of cybersecurity regulation that affects businesses throughout the United States and in New York. It also was a panel that could describe not only “what to do” but, equally important, “what not to do.” Both concepts are clearly critical given the major cybersecurity breaches we have seen in 2019. This GT Alert summarizes what the cybersecurity regulators focused on during their presentations.
Risk and Vulnerability Assessments
The major theme from almost everyone on the panel was the need for all companies to do regular risk and vulnerability assessments. This boils down to knowing the health of your network security and how the health of your network security (or lack thereof) can negatively and adversely affect your business, assets, customers, and investors. Such assessments can neither be outsourced nor contractually negated when dealing with a third-party service provider. The regulators all stressed that it is critical to perform these assessments regularly – at least semi-annually. Indeed, because attackers can change the code of their ransomware variant weekly (if not more often), performing only an annual vulnerability assessment could be sorely lacking in value. Risk and vulnerability assessments allow businesses to inventory their data, assess the controls and protections around that data, and make changes if necessary to improve protections. They are truly invaluable. The advice of the regulators was “to do them.”
Institute a Process or Policy Around Cybersecurity and See It Through
Another theme underscored by the regulators was that being compliant on paper was just that – a “checkbox” compliance process rather than a program of effective controls and protections for your most important data. For instance, having an employee email training program to deter phishing and spearphishing is a laudable goal. Failure to perform the training, or doing it only once a year, will likely not be sufficient from the regulators’ perspective. The regulators also emphasized the critical importance of having a cyber supply chain risk management policy in order to assess the security of those third-party vendors with access to your network, like consultants, suppliers, or other important vendors. That kind of analysis is required under both SEC and NYDFS requirements. Failure to avoid a data breach that comes through your HVAC vendor because you did nothing to assess its network access or cybersecurity is simply “not advisable,” according to the regulators.
Each of the federal regulators on the panel recommended that the “worst” case for the company being breached is a “non-enforced” policy or procedure that “might” have helped prevent or mitigate the attack. Put simply: having a policy or procedure is nice, but if it is not followed and enforced, it is worthless.
The panelists noted that several significant enforcement cases have re-emphasized the need to disclose material breaches to the various constituencies involved. This could be to one’s customers, investors, most critical vendors and suppliers, and most crucially, to relevant regulators. This could be the SEC, or states like California and New York, or regulators like those in the European Union who apply the GDPR.
Each of the regulators on the panel noted that short windows of time exist to provide breach notifications. In some cases, notice may be necessary as soon as possible, which could mean within 72 hours. Neither scenario offers much time to understand the full implications of a major cybersecurity breach. Though the regulators did not say those time periods needed to be met “or else,” their view was clear: waiting weeks or months to supply notice will not be condoned or forgiven. As such, companies need to have practiced and tested incident response, business continuity, and crisis communications plans.
It is often hard to tell what is on the mind of your primary regulator when something bad happens to your customer or client. This conference provided attendees with the invaluable perspectives of cybersecurity regulators regarding the “state of play” of cybersecurity and breach response.