2018 saw both an upward trend in data breaches coupled with public concern for federal and political security. To help organizations navigate the uncertainties of a changing regulatory landscape, The Chertoff Group spotlights the trends that will shape cyber policies in the year to come.
Domestic Movement on Data Privacy and Security Legislation
High profile breaches in recent years, along with the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act, will bolster domestic efforts to develop and pass comprehensive data security and privacy legislation.
Despite this push, however, a divided Congress and limited interest from the White House will likely slow progress. Expect additional states to follow California’s lead if Congress fails to move such legislation forward, regardless of lawsuits filed by technology companies or the Department of Justice.
Political Cyber Threats Will Build
The public has lost significant confidence in the cybersecurity of state and local election technologies. The Chertoff Group predicts that fear, uncertainty and doubt in election technology security will only continue to grow as the U.S. anticipates the 2020 Presidential and general elections.
Heightened Incident Disclosure Expectations
The GDPR, which became enforceable in May 2018, includes a requirement that organizations report a personal data breach within 72 hours after becoming aware of it.
Likewise, the New York State Department of Financial Services (DFS) imposed a requirement that firms under its jurisdiction notify DFS 72 hours after identifying a breach of personal data that presents likely harm to the entity’s operations.
This requirement significantly accelerates reporting timeframes, pressuring organizations to mature incident response and resiliency capabilities to remain compliant.
Separately, the U.S. Securities and Exchange Commission (SEC) released updated guidance in February 2018 on public company cybersecurity disclosure requirements under federal securities laws. The guidance focuses on maintaining comprehensive cyber policies and procedures – particularly on timely cyber risk and incident disclosure – and prohibiting cybersecurity-related insider trading.
In addition to policy changes, recent incidents at Yahoo, Uber and Equifax have driven federal and public organizations to take a closer look at breach disclosure norms. A threshold disclosure question is one of materiality, which the SEC describes as information that would either influence a “reasonable investor’s” voting or investment decision or “significantly alter the ‘total mix’ of information available.”
While the SEC does not expect companies to disclose specifics about their cybersecurity programs, it does hold companies responsible for “disclos[ing] the extent of its board of directors’ role in the risk oversight of the company.”
This additional element concerning board roles in risk oversight raises the question of how senior management and boards are advancing their understanding of cyber risk to make informed judgments about materiality.
Increased Disclosure in Vulnerability Equities Process
According to a White House charter, the Vulnerabilities Equities Process (VEP) “balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes.”
The exposure and subsequent exploitation of NSA’s EternalBlue have amplified calls to address the vulnerability equities issue by tilting the scale towards increasing disclosure.
CISA and Lingering Private Sector Resistance
The Cybersecurity Information Sharing Act (CISA) was passed in 2015 to improve cybersecurity through increased communication of cybersecurity threats between the public and private sectors. Although CISA offers liability protections for the private sector, many large private companies remain reticent to share sensitive, potentially risk-reducing information with peers and the government.
Ambiguity Remains for Three Lines of Defense
Organizations continue to struggle to define and implement effective first and second lines of defense, as outlined by the Institute of Internal Auditors. There is a general consensus that the first line consists of information security operations and the second line is responsible for cyber risk oversight. Security practitioners, risk managers and regulatory bodies, however, do not consistently align on the practical implementation of these concepts. Ambiguity in this area can have significant organizational and risk mitigation implications.
Navigating Cyber Policy in 2019
In the year ahead, ensuring compliance and security means organizations must adapt to changing cyber policy. The Chertoff Group helps companies understand the cybersecurity landscape and develop programs that assess, mitigate and monitor risk. Schedule a consultation today to find out how The Chertoff Group can develop a custom program to protect your assets and safeguard your business.