Business and trade associations have long argued that companies can manage their cyber-security programs without government interference. Those groups seem perilously close to losing the argument.
Driven largely by increasingly sophisticated and destructive cyber attacks—and the failure of businesses to prevent them—U.S. and European authorities appear ready to prescribe cyber-security controls.
Last year, cyber attacks caused unprecedented disruptions to operations, the theft of massive amounts of personal data and soaring losses. The WannaCry ransomware raced around the globe in May, encrypting data on about 300,000 computers in more than 150 countries. A month later, the NotPetya malware, begun in Ukraine, crippled global organizations, among them Maersk, Federal Express and Merck, which each lost an estimated $300 million. All told, losses caused by WannaCry are projected to reach $4 billion.
More importantly, the WannaCry and NotPetya attacks targeted the viability of systems and the integrity of data, serving as a warning that future systemic attacks could result in catastrophic losses for insurers. A month before WannaCry, a hacker group called Shadow Brokers released a file of cyber software tools used by the National Security Agency, making them available not only to the cyber-criminal community but also to nation states and terrorist groups. The WannaCry attacks were unprecedented in scale, and the United States, Britain and Australia have accused North Korea of launching them.
Though roundly documented, these attacks don’t indicate the broader impact of cyber hacks. Last year nearly 40% of respondents to an AT&T survey said a cyber incident had an operational impact on their organization, and nearly 25% reported a cyber breach resulted in damage to reputation, loss of revenue and loss of customers. Small businesses are as much of a target as large ones; a 2016 Symantec report said 43% of cyber attacks target small businesses.
Last year, a report from Barkly blamed the leakage of the NSA cyber tools on the rise in “clickless infections” (such as NotPetya) that bypass the need for a user to click on a link or open an attachment to enable malware to enter a computer. The report said attackers were creating infections “that are more difficult to block, detect and contain.”
The cyber attacks have caught the attention of regulators, legislators, plaintiff’s attorneys and the public, resulting in an increasingly complex mix of federal and state rules.
Financial Services: Federal Regs or Joint Partnerships?
In 2015, I wrote a report titled “Governance of Cybersecurity: How Boards and Senior Executives are Managing Cyber Risks” for Georgia Tech’s Information Security Center. I found the financial services sector has better privacy and security practices than other industry sectors. But it’s also one of the most targeted sectors for cyber attacks. As a consequence, despite strong security programs, it is one of the most regulated sectors with respect to cyber security.
One of the first cyber-security regulations to hit the financial sector was the 1999 Gramm-Leach-Bliley Act and its corresponding Privacy and Safeguard Rules. The law, enforced by the Federal Trade Commission, requires financial institutions to enact safeguards to protect their customers’ sensitive data.
In 2014, the Commodity Futures Trading Commission recommended best practices for administrative, technical and physical safeguards for financial information subject to the Graham-Leach-Bliley Act. The commission also issued cyber-security regulations in 2012 pursuant to the Commodity Exchange Act and enhanced them in 2016 with requirements for cyber-security testing, remediation and governance.
Recently, however, there has been some shifting away from federal regulatory action and toward partnerships with the private sector to advance information sharing and improve resiliency and response capabilities.
The U.S. Treasury Department’s Financial Stability Oversight Council clearly recognizes the cyber risks facing the financial sector. But rather than responding with regulations, FSOC’s 2017 annual report emphasized the value of public-private partnerships, noting:
If severe enough, a cybersecurity failure could have systemic implications for the financial sector and the U.S. economy more broadly…. The fact that the sector is overwhelmingly owned and operated by the private sector makes the need for a close partnership between government and industry important to better understand these risks…. The Council [FSOC] supports the creation of a private sector council of senior executives that would focus specifically on ways cyber incidents could affect business operations and market functioning and work with principal-level government counterparts on cybersecurity issues.
The financial sector might have also gotten a break from the Trump administration. Near the end of 2016, federal financial regulators jointly published an advance notice of rulemaking on “Enhanced Cyber Risk Management Standards.” The notice outlined a comprehensive set of rules that would cover five areas of cyber-risk management, including vendor oversight and incident response, and additional standards for cyber security. The Trump administration, however, may be keeping its word to pull back on regulations. Arthur Lindo, senior associate director of the Federal Reserve’s division of supervision and regulation, recently signaled the administration would not proceed with the rulemaking on cyber-security standards. “We’re going to try a more flexible approach,” Lindo said.
John Carlson, chief of staff of the Financial Services Information Sharing and Analysis Center (FS-ISAC), says, “Compliance with competing federal and state cyber-security requirements is problematic for the industry; we favor a collaborative, risk-based approach and harmonization of requirements—including terminology.”
FS-ISAC is the global financial industry’s go-to resource for cyber and physical threat intelligence analysis. It was established by the financial services sector in response to 1998’s Presidential Directive 63 (later updated by 2003’s Homeland Security Presidential Directive 7) that requires the public and private sectors to share information about physical and cyber-security threats and vulnerabilities to help protect critical U.S. infrastructure.
States Push Regulation
In 2003, California started a state rush to pass privacy breach notification laws because companies were not disclosing breaches and consumers were being harmed through identity theft as a consequence. New York, as a leader in the financial regulatory arena, may have kicked off a similar movement in cyber-security regulation when the New York Department of Financial Services enacted its Cybersecurity Requirements for Financial Services Companies, which took effect in March 2017. In promulgating the regulations, the department noted the increase in cyber attacks and the lack of a comprehensive federal cyber-security policy for the financial services sector.
The regulations apply to all entities subject to the Banking Law, Insurance Law or Financial Services Law of New York, though there are some exemptions for small organizations. The regulations require each company to conduct periodic cyber risk assessments and develop and maintain a cyber-security program that addresses identified risks “in a robust fashion.” Although a chief information security officer must be designated to oversee the security program, the regulations hold senior management accountable for the company’s cyber-security program. Each entity must file an annual certification signed by the chairperson of the board or a senior officer confirming compliance with the regulations.
The FS-ISAC provided input to New York regulators who were drafting the regulations. Rick Lacafta, director of the center’s Insurance Risk Council, notes the New York Department of Financial Services paid attention to the financial sector’s input and suggested compliance approaches. “It was particularly helpful, we believe, in making the rule more risk-based than prescriptive, which is very important in enabling companies to be nimble and deploy the most innovative approaches.”
In this way, the New York regulations take an approach similar to that put forward by the National Institute of Standards and Technology (see sidebar NIST: A Flexible Framework) and the ISO 27001, which is the international standard for information security. They all give organizations the flexibility to implement controls and technologies suited to their particular risks, which provides more effective security than spending resources on compliance requirements that might not apply to an organization’s operations.
“What I think the New York Department of Financial Services has done is lay out the contours of how organizations should be structuring and thinking about their cyber-security programs,” says Thomas Finan, client engagement and strategy leader for North America at Willis Towers Watson Cyber Risk Solutions. “I think it acknowledges the reality that you can’t prevent every cyber event, that there are determined hackers and other folks out there who mean you harm and you have to have a holistic approach [that] certainly includes steps to identify, prevent and detect a cyber event but also to respond and recover from it.”
A Flexible Framework
While the financial services sector has seen heavier cyber regulation than other industries, the federal government has acknowledged the importance of cyber security across industries. In 2013, President Obama issued an executive order calling for the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. The NIST Framework, released in 2014, was meant to “provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach,” according to the executive order.
Thomas Finan, client engagement and strategy leader for North America at Willis Towers Watson Cyber Risk Solutions and former senior cybersecurity strategist and counsel for the Department of Homeland Security, credits NIST with helping set in motion a flexible mindset and approach that provides a road map for what industries should think about and prioritize for cyber security. “And what NIST recognized…is that every organization is unique and has a unique cyber-risk profile. But there are shared common approaches and issues.”
Finan believes the NIST Framework provides the backbone an organization of any size and in any industry can use to build on and further develop as needed. And, according to Gartner research, 30% of U.S. organizations had implemented the framework two years after it was released, with 50% predicted to implement it by 2020.
“I think the federal government has spoken through NIST with the cyber-security framework,” Finan says. “And I think what you are likely to see, and what you are seeing, is that industry sectors and associations are responding to the framework with their own interpretations on how best to implement it. That’s what’s getting traction right now.”
The National Association of Insurance Commissioners has taken a similar approach. In 2014, following some highly visible breaches of health insurance data, the NAIC formed a task force to study cyber-security regulations. After six drafts and three years, the task force adopted the Insurance Data Security Model Law last October.
The NAIC gives deference to the New York regulations and deems compliance equivalent to compliance with the Model Law. The association also considers those compliant with the Health Insurance Portability and Accountability Act Security Rule to be in compliance, provided they submit a written statement. The HIPAA Security Rule establishes a national set of security standards for protecting personal health information that is held or transferred in electronic form, and it requires a complete enterprise cyber-security program. In 2009, the Health Information Technology for Economic and Clinical Health Act extended liability for Security Rule compliance to business associates and established notification requirements for breaches involving personal health information.
The NAIC Model Law is well written and more detailed than the New York regulation. It sets forth requirements for an information security program that are consistent with internationally accepted best practices and standards for cyber security. Raymond Farmer, NAIC vice president, South Carolina insurance director and chair of the Cybersecurity (EX) Working Group, expects three or four states may take it up in 2018—and South Carolina will be one of them.
“This is the first step toward uniform cyber-security laws across the country for the insurance industry,” says Farmer. He says although NAIC’s focus and intent was to improve cyber security for the insurance sector, other industry sectors have asked to review the law.
The Model Law also received favorable reviews from federal regulators. “Treasury recommends prompt adoption of the NAIC Insurance Data Security Model Law by the states,” department officials said in an October report. “(I)f adoption and implementation of the Insurance Data Security Model Law by the states do not result in uniform data security regulations within five years, [Treasury recommends that] Congress pass a law setting forth requirements for insurer data security, but leaving supervision and enforcement with state insurance regulators.”
EU Leads in Data Privacy
In 1996, the European Union seized the global leadership role on privacy issues with its Data Protection Directive and declaration that any EU data transferred out of the European Union must be afforded equivalent or “adequate” protections in the receiving jurisdiction. The European Union has dominated the privacy realm ever since.
The EU privacy requirements posed great challenges to U.S. industry and global commerce and required cyber-security controls for compliance. After much huffing and puffing, in 2000, the U.S. Department of Commerce managed to obtain EU agreement to the Safe Harbor Privacy Principles, which allowed U.S. companies that registered and self-certified compliance with Safe Harbor to be deemed an “adequate” jurisdiction and legally able to receive EU data. The Department of Commerce and Federal Trade Commission had enforcement authority over Safe Harbor registrants.
Fifteen years later, however, the Court of Justice of the European Union invalidated the Safe Harbor agreement, stating the framework did not provide adequate protections for data shared for national security purposes and made it too difficult for National Data Protection Authorities to intervene and ensure protection of EU data. This decision required U.S. companies using Safe Harbor to put in place the European Union’s standard contract clauses that require adequate protection of EU data for cross-border transfers outside the European Union. Depending on the size of the organization and flows of data, this was a compliance burden for many companies.
Finally, in 2016, the U.S. Department of Commerce and the European Commission agreed on a EU-U.S. Privacy Shield Framework to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. A separate Privacy Shield Framework was agreed to with Switzerland. Like Safe Harbor, the privacy shield will be administered by the Department of Commerce and enforced through the FTC.
During Safe Harbor, the European Union grumbled that the United States was lax in enforcing it. The FTC seems determined to be viewed differently in its enforcement of Privacy Shield. The agency wasted no time in filing three actions against companies that claimed they participated in the Privacy Shield program when they actually had initiated a registration but had not completed required steps for compliance.
When the European Union announced in January 2012 the coming of a new data protection regulation with new privacy requirements and fines of up to 2% to 4% of total worldwide revenue, businesses around the globe shuddered. Compliance with the Data Protection Directive (or Safe Harbor or Privacy Shield) required some changes to applications and controls in security programs, but the new privacy and security requirements in the European Union’s Global Data Protection Regulation (GDPR) would require many more.
The GDPR, which replaces the 1996 Data Protection Directive, came into force on May 24, 2016. EU member states must implement the GDPR into national legal frameworks by May 6, 2018. The compliance deadline for organizations of May 25, 2018, is now looming large over affected businesses.
There are some major differences between the Data Protection Directive and the GDPR. The GDPR has a broader definition of protected data, which includes internet protocol addresses, biometric data, mobile device identifiers and geo-location data. It also gives more power to individuals to obtain the data held about them, to have it corrected, and to request that it be deleted (“right to be forgotten”). Under the GDPR, both data controllers and data processors must be in compliance, whereas only the controller has been responsible under the Data Protection Directive.
The GDPR also requires privacy to be taken into consideration in every phase of the system lifecycle—system design, development, implementation, maintenance and retirement. Privacy impact assessments are required when processing on a large scale, monitoring or profiling are conducted. Warning: the Article 29 Working Party, the advisory body on data protection and privacy that was established by the Data Protection Directive, has interpreted these provisions broadly; large-scale processing can mean a hospital processing its patients’ genetic and health data, and monitoring can mean monitoring employee internet activity.
Another difference lies in the GDPR’s new breach-notification provisions, which require notification to data protection authorities within 72 hours and to controllers and victims “without undue delay.”
One of the most significant differences, however, is the jump in fines. Whereas fines under the Data Protection Directive were usually small and infrequent, the GDPR imposes fines of €10 million to €20 million and up to 2% to 4% of total global worldwide revenue. The threat of such draconian fines has jump-started GDPR compliance efforts around the globe. The revenue penalty, however, appears to apply only to “undertakings,” defined as a parent and its involved subsidiaries. This issue is worth exploring, as many of the articles and documents that discuss the GDPR and onerous fines leap to the conclusion that all infringements of the GDPR may result in penalties based on global revenue.
“Most U.S. companies are not familiar with privacy impact assessments, and some of the new privacy requirements currently are not able to be performed by many applications, such as the deletion of data on a person’s request,” says Phil Gordon, co-chair of Littler Mendelson’s privacy and background checks practice. “There are costly system analysis and integration issues that must be planned for with GDPR.”
But Privacy Relies on Security
Without security, there is no privacy. Therefore, Safe Harbor and Privacy Shield both necessitated controls in cyber-security programs to afford required protections to the data. And just the same, cyber security plays a prominent role in the GDPR. Article 32 on “Security of processing” requires the controller and processor to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including pseudonyming and encrypting personal data, ensuring the integrity of data, regularly testing security controls, and ensuring information is processed only as agreed.
Failure to meet these requirements could mean substantial fines. “The big change for businesses in the States is that they might be brought into GDPR merely by targeting customers in Europe,” says Mark Prinsley, a partner with Mayer Brown in London, “and the compulsory data breach notification provisions will drive data governance.”
Francoise Gilbert, a partner with Greenberg Traurig in Silicon Valley, who is also licensed to practice in France, issued a cautionary note about EU member states’ ability to impose additional requirements beyond those in the GDPR. “It takes a lot of knowledge about both the GDPR and additions or changes introduced by member states to maneuver this new compliance landscape,” Gilbert says.
To further complicate compliance, the European Union has also issued a “Directive on security of network and information systems,” known as the NIS Directive, which is broad in scope and authority. The NIS Directive entered into force in August 2016, and member states have until May 9, 2018, to implement it into national law.
The directive requires member states to identify operators of “essential services” within their territory by Nov. 9, 2018. Criteria for identification of such entities is based on whether an entity provides services “essential for the maintenance of critical societal and/or economic activities”; where the provision of the service depends on network and information systems; and whether an incident would have significant disruptive effects on the provision of that service.
Such entities are deemed critical infrastructure companies in the United States.
The annex of the directive lists the types of entities included for essential services, such as electricity, oil, gas, transport companies (air, rail, water and road), financial market infrastructures, health sector, water utilities and digital infrastructure.
The directive grants a substantial amount of authority to EU member states to ensure these identified entities manage security risks to their networks and systems, prevent and minimize incidents, and notify authorities of significant incidents without undue delay. The directive also empowers member states to assess the compliance of the operators of the essential services and requires the operators to provide all information necessary for the assessment and evidence of implementation of security policies.
Thus, private sector companies could be required to allow government authorities inside their properties to conduct assessments and to produce large amounts of highly sensitive documents. U.S. companies operating such entities in the European Union will be required to name a local representative and will have to comply with these requests.
Wow. Congress and U.S. officials must be jealous. Although U.S. businesses have to maneuver a wide range of cyber-security laws and regulations, they have managed to keep the government out of their data centers. The U.S. Department of Homeland Security has tried for years to assess critical infrastructure and obtain similar information from companies, only to be pushed back by industry.
Regulating Across Industries
Although most cyber-security regulation has been targeted at specific data or industry sectors, one of the most effective ways to push requirements out to all businesses is to impose regulations, or “guidance,” on government contractors and public companies. The Securities and Exchange Commission and federal procurement regulators have chosen this path and have become increasingly specific with respect to cyber-security requirements.
The Federal Information Security Management Act (FISMA), enacted in 2002, imposed cyber-security requirements on agency and contractor systems and compliance with certain Federal Information Processing Standards. It requires risk-based information-security measures and applies to data and systems operated by a contractor on behalf of an agency.
In 2016, the Federal Acquisition Regulations (FAR) on Basic Safeguarding of Contractor Information Systems was implemented, which requires 15 security controls. The regulation applies to all government contractors and is effective when included in contracts.
Following a series of breaches at agencies and defense contractors, the Department of Defense, in 2013, created its own cyber-security procurement regulations, which require contractors and subcontractors to safeguard computer systems and report data breaches within 72 hours. The rule does not apply to contracts for commercial off-the-shelf technology. The Defense Federal Acquisition Regulation Supplement (DFARS) now requires defense contractors to comply with NIST guidance on protecting controlled unclassified information, notify the Defense Department of incidents within 72 hours, save all data associated with an incident for 90 days to enable the Defense Department to review or inspect the system, and notify the department if a cloud provider will be used.
“Concern grew exponentially as the end of 2017 approached and contractors realized they were not in compliance with DFARS requirements, particularly NIST 800-171,” says David Bodenheimer, a public contracts partner at Crowell & Moring. Bodenheimer points out that the Defense Department has several avenues to enforce its cyber-security requirements, including refusing to do business with the contractor or disqualifying it; giving the contractor a negative past performance review, thereby reducing its opportunities for future awards; suing the contractor for breach of the cyber-security safeguards clause in the contract; blacklisting or debarring the contractor; and bringing a False Claims Act suit against the contractor if it falsely implied in its proposal that it was in compliance with 800-171.
“Subcontractors are particularly vulnerable, as their prime contractors may cut them from contracts if they are not in compliance with 800-171,” Bodenheimer says.
The SEC formally entered the cyber-security regulatory realm in 2011 with its “Corporate Finance Disclosure Guidance: Topic No. 2,” which guides public companies on disclosure of cyber-security risks and cyber incidents. The SEC advised companies to disclose cyber-security risks if these risks are among the most significant factors that make an investment in the company speculative or risky. In February, the SEC issued “interpretive guidance” to assist companies in preparing disclosures about material cyber-security risks and incidents. The guidance expands on what cyber risks may be material and puts more responsibility on directors and officers for managing cyber risks.
In 2014, the SEC conducted a series of examinations of the cyber-security programs of registered broker-dealers and investment advisors to identify cyber-security risks and assess cyber-security preparedness in the asset management industry. The following year, the commission issued “Guidance to Registered Investment Funds & Advisers on Cyber Security,” which discusses a number of measures funds and advisors may wish to consider when addressing cyber-security risks, including risk assessments, cyber-security strategies, and policies and procedures.
In 2017, the SEC established a cyber unit in its Enforcement Division to focus on targeting cyber-related misconduct. The unit wasted no time. Last December, it obtained an emergency asset freeze to stop an initial coin-offering fraud that had raised $15 million from thousands of investors.
The SEC means business (even though it took until September 2017 to disclose its own breach, which took place and was detected in October 2016). “Businesses should take seriously the SEC guidance on cyber security and the need for well tailored and consistently implemented policies and procedures around data, vendor and network risk management,” says Gwendolyn Williamson, a partner with Perkins Coie who represents investment and business development companies.
Brokers Face Unknowns
Agents and brokers are working hard to help clients address these privacy and security compliance requirements, but there is no silver bullet and there is the unresolved issue of whether fines and penalties associated with the GDPR are insurable. “Cyber insurance policies need to continuously adapt to this dynamic cyber-risk environment,” says Jeffrey Batt, vice president of Marsh’s cyber practice. “It is our job as brokers to help ensure that clients are both aware of the risks that directly impact them and have sufficient coverage in place.”
Kevin Kalinich, Aon’s global practice leader for cyber insurance, says Aon also is trying to address the uncertainty related to insurability of fines and penalties through policy language. “We have tried to put insurance policies together that state the insurance companies agree to pay the fines and penalties to the fullest extent allowable under law in the jurisdiction most favorable to the insured,” Kalinich says. He noted even law firms don’t agree on whether GDPR fines and penalties are insurable.
But policies will not eliminate the need for system changes that may be necessary to meet the ever-growing landscape of cyber-security compliance requirements. Batt noted that Marsh is trying to raise client awareness and preparedness by engaging its Marsh Risk Consulting team. “We are advising clients on pre-incident planning, quantifying clients’ risk, and utilizing analytical and financial tools populated with client-specific data inputs. With respect to GDPR, we are helping clients understand how coverages will respond to a wide range of scenarios and counseling them on what their options are and guiding them toward potential solutions.”
Kalinich says awareness and education have risen tremendously among clients in the wake of cyber incidents such as WannaCry, NotPetya and Equifax, but execution lags behind. Aon is helping clients determine cyber-risk strategies and priorities by focusing on the financial impact of cyber events. “Consider the recent $80 million settlement of the Yahoo data-breach-related securities class action lawsuit following Verizon’s $350 million reduction in purchase price,” he notes. Enterprise risk management requires a quantitative analysis of factors, of which some are more equal than others, such as frequency, severity and cost-benefit analysis. He says this approach also helps clients prioritize actions since some of the changes required by the GDPR may take years to fully implement. “It is possible that EU GDPR compliance may have had the ancillary benefit of reducing the massive Yahoo loss,” he adds.
“You go back to the focus on a more macro level, holistic approach of cyber resiliency and going step by step through the regulations to comply with those policies and procedures,” Kalinich says. “The good news is the GDPR is so comprehensive it can help you satisfy some of the other 2018 regulatory requirements, such as the New York Department of Financial Services regulations and the updated SEC guidance recommendations.” (See sidebar: Regulating Across Industries.) Kalinich describes GDPR compliance as enterprise risk management that must include management setting a culture of cyber resilience. “If an entity’s culture is set from the top, then you can have a coordinated, unified approach…that can create tremendous efficiencies in the sales process, in the supply chain process, in the risk mitigation process…. It is no longer just an IT security issue.”
Willis Towers Watson’s Finan has a similar perspective. “We all are essentially cyber-security players, whether we recognize ourselves that way or not,” he says. “And if you’re in the business world, a small business or a very large enterprise, good cyber security is an essential part of doing business.”