The continued proliferation of high-profile attacks on companies by advanced threat actors—including statesponsored actors—coupled with the increasing risk of consumer and personal information disclosure as part of these attacks has led to heightened awareness by state and federal regulators of the threats posed by cybercriminals and cyberterrorists. This advisory discusses a new action by the state of New York that may signal a developing trend of increased proactive regulator interest in the cybersecurity practices of companies under their regulatory jurisdiction.
Although most industrialized countries have omnibus laws for the protection of data nationwide, the United States has implemented a sectoral, or industry-specific, approach. Of the major federal laws and regulations governing data security, only a few impose affirmative obligations to maintain specified security standards.1 In addition, only a few states have enacted laws requiring businesses to maintain data security standards to protect state residents’ personal information.2
As a result of the dearth of state and federal law, regulators across regimes have generally addressed cybersecurity on a reactive basis, launching investigations in response to data breaches or other incidents where consumer information may be at risk of disclosure or unauthorized use. In addition, to protect investors, the U.S. Securities and Exchange Commission (SEC) issued guidance encouraging companies to include information on cyber risk and cyber incidents in their filings. Recently, there has been increased activity at the federal level to ensure that the nation’s critical infrastructure entities are protected against cyber threats. Herein, we expand on these types of regulator interest in cybersecurity and then discuss a new type of interest exemplified by the New York attorney general in its proactive inquiry of the cybersecurity practices of, and previous cyber incidents at, insurance companies.
Types of Regulatory/Government Interest to Date
Investigations in response to breaches: protecting the consumer
Among the most active authorities in protecting consumers whose electronically stored private information may be at risk has been the U.S. Federal Trade Commission (FTC), which has increasingly investigated companies for failure to maintain adequate information security programs where such companies’ actual practices are inconsistent with their information security policies, alleging a violation of Section 5 of the Federal Trade Commission Act, which prohibits “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.”3 The FTC has also actively investigated companies following security incidents for failure to maintain adequate security measures, as required by the Security Principle of the Gramm-Leach Bliley Act (GLB).4
Like the FTC, state regulators have also been active in policing data security practices of companies through state consumer unfair and deceptive trade practices acts.5 In addition, 19 of 46 states with data breach notification statutes require not only notification to customers affected by security breaches, but also notification to state attorneys general or agencies. These notifications often result in state regulators launching investigations into the data security practices of the company impacted by the security incident. One recent example is the LivingSocial, Inc., security incident. On May 2, 2013, the attorneys general of Connecticut and Maryland sent a letter to the online daily deals company seeking details about a breach first reported on April 26, 2013. The letter requested, in pertinent part, a description of the company’s security measures before and after the breach to “ensure consumers are properly protected now and in the future.” This action signals a growing effort by state regulators to more aggressively utilize state law to address the issue of information security.
Public disclosures of cyber incidents/cyber risk: protecting the investor
Growing concern over the state of cybersecurity in the United States led to the October 2011 publication of staff-level guidance by the SEC, which encouraged all public companies to disclose in their regulatory filings descriptions of the specific cyber threats they face and the steps they are taking to mitigate cybersecurity risks and cyber incidents.6 While the SEC’s guidance discouraged disclosing information that could be used to engage in a cyber attack, cybersecurity breaches were to be disclosed if they had a material effect on the company’s finances or ability to provide products and services. In light of the recent Executive Order regarding cybersecurity and the nation’s critical infrastructure, discussed below, there appears to be an increase in SEC filings that include such disclosures.7
Enhancing cybersecurity of critical infrastructure: protecting the nation
Recognizing that corporate cybersecurity plays an important role in overall national security, in September 2012, Senator John D. (Jay) Rockefeller IV, chairman of the Senate Committee on Commerce, Science and Transportation, sent a letter to every chief executive officer of the Fortune 500 companies stressing the cybersecurity threats the country faces and requesting that they outline their respective companies’ cybersecurity practices. According to a memorandum issued by the Senate Committee on Commerce, Science and Transportation earlier this year, approximately 300 of the Fortune 500 companies responded to Senator Rockefeller’s letter and “[o]verall, the companies’ responses showed that the private sector is supportive of Congress’s interest in passing cybersecurity legislation,” particularly in the realm of information sharing.8
On February 12, 2013, President Obama signed an Executive Order on Improving Critical Infrastructure Cybersecurity (“Executive Order”) that required the Secretary of Homeland Security and Director of National Intelligence to enact policies that allow for the rapid dissemination of cyber threat information to the private sector.9 That Executive Order also initiated the development of a Cybersecurity Framework to create “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The director of the National Institute of Standards and Technology (NIST), tasked with leading that process, issued a Request for Information on the topic and received more than 240 responses. NIST has invited stakeholders to discuss the Framework at three workshops, two of which have already taken place.
Despite the increasing interest in implementing a comprehensive system for the management of cyber risk, no comprehensive federal information and/or cybersecurity laws appear to be imminent, although many information security bills have been proposed in recent years.10 Until decisive action is taken by the federal government, cybersecurity will continue to engender debate. Meanwhile, state legislators and regulators are taking more immediate action that may have profound implications for businesses.
Enhancing cybersecurity of companies: protecting the citizen
In New York, recent increased regulatory interest in cybersecurity practices at insurance companies may telegraph how sector-specific regulators will approach cybersecurity moving forward. On May 28, 2013, Governor Andrew M. Cuomo launched an initiative to determine the steps that insurers are taking to protect their computer information systems from cybercrime. The purpose of this initiative was to ensure that insurance companies responsible for New Yorkers’ sensitive health and personal information had adequate cybersecurity policies in place to protect stored information from a cyber attack. The initiative came in the form of a specific information request, a “308 Letter,” from the New York State Department of Financial Services (DFS) to the largest insurance companies that DFS regulates. Earlier in 2013, New York sent similar requests to the largest companies in the banking industry, a sector more traditionally associated with cybersecurity concerns. The 308 Letters, which create a legal obligation for the insurance companies to provide a response,11 requested disclosure of the following:
- information on any cyber attacks the company has been subject to in the past three years;
- the cybersecurity safeguards the company has put in place;
- the company’s information technology management policies;
- the amount of funds and other resources dedicated to cybersecurity at the company; and
- the company’s governance and internal control policies related to cybersecurity.
This recent regulatory activity in New York takes the unique approach of requiring that private companies divulge their cybersecurity practices, spending and history of attacks prior to any specific cyber incident affecting the business. Furthermore, after collecting this sensitive information, the New York Insurance Law appears not to place any restrictions on what DFS can do with the information it obtains in response to a 308 Letter, leaving insurance companies little protection from dissemination of that sensitive information. Disclosures relating to a company’s cybersecurity incident history or practices could therefore conceivably be shared with other state or federal agencies—or even communicated to consumers.
This proactive approach to understanding how New York insurance companies protect against cyber threats could potentially apply to other regulated sectors where businesses are required to respond to similar information requests. As Governor Cuomo stated in explaining the regulatory approach to insurance companies, while the state has long been “intensely focused on making sure that banks have the protections in place they need . . . we always have to keep at least one eye on the lookout for the next big threat.”
In light of the increased regulatory interest in cyber/data security, both on the reactive side as regulators continue to investigate data breaches and security incidents and now on the proactive side as regulators show an interest in assessing the current state of cybersecurity, companies should consider taking action to ensure that they are prepared to respond to an array of proactive and post-breach regulatory inquiries relating to the organization’s cybersecurity policies, procedures and practices. The following are recommended tips to assist in this process:
- Develop a Cybersecurity Policy. Organizations should develop a core set of principles related to cybersecurity that form the framework for which its information technology (IT) infrastructure and business operations will manage cyber risk. Such principles could include, for example, participation in industry information-sharing groups, as well as gathering and analyzing cyber threat intelligence.
- Measure Cyber Risk and Evaluate Solutions on an Ongoing Basis. Measure cybersecurity risks effectively through the implementation of a “zero gap” coverage model for the discovery and assessment of all IT asset types. Cyber risk management is only effective where the risks are known. Continually evaluate defense solutions vis-à-vis the cyber threat landscape to ensure effectiveness.
- Develop Effective Corporate Response Programs. Responding to attacks by advanced threat actors can no longer be achieved with a technical fix to a technical problem. The complexities of cyber threats require key leaders of the company outside of IT to be educated and involved in the incident response process. Implementation of corporate response programs can help ensure an effective and efficient security incident response that will withstand post-breach regulator inquiry.
- Structure Internal Leadership Around Key Stakeholders. Key stakeholders include, at minimum, the board of directors, senior leadership and key members of the IT staff. Ensure that these parties are aware of the company’s cybersecurity policy and procedures and are equipped to support the program efficiently and effectively.
- Monitor Cybersecurity Developments at Both the Federal and State Levels. The Executive Order has changed and will continue to change the cybersecurity landscape in terms of the level of government involvement in cybersecurity, the amount of cyber intelligence and threat information available to critical infrastructure entities, and the expected level of awareness and participation in cybersecurity initiatives by not only critical infrastructure entities, but other entities with which those entities interact. New federal and state information/cybersecurity legislation also continues to influence an organization’s developing cybersecurity practices. Ensure that key stakeholders are informed of these developments in a timely fashion and are able to quickly assess the impact on the organization’s current cybersecurity policy and practices.