In the last few years we have seen an increase in public breaches and hacking events. Information security as an industry is booming because of it. But we are also seeing a number of new pieces of sweeping legislation that will impact pretty much all businesses around the world. While there are also big changes going on in other places (China, Australia, etc.), I have chosen the three that I feel tell a certain side of the story that will be most impactful to the majority of the organizations in the US and EU. First and foremost, what are these three (3) pieces of legislation:
1) The Cybersecurity Disclosure Act of 2017 (S. 536)
This Act has been introduced in the U.S. Senate by Senator Jack Reed (D) of Rhode Island. If you read through the bill, it is a new requirement for publicly traded firms to disclose to the Securities and Exchange Commission information on whether or not their board has any member(s) with security expertise. Their definition of Cybersecurity Expertise or Experience is defined below:
(c) Cybersecurity Expertise Or Experience.—For purposes of subsection (b), the Commission, in consultation with NIST, shall define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats, using commonly defined roles, specialities, knowledge, skills, and abilities, such as those provided in NIST Special Publication 800–181 entitled “NICE Cybersecurity Workforce Framework”, or any successor thereto.
This bill was introduced by Senator Reed and cosponsors Senator Collins and Senator Warner on March 7, 2017. There is very little information about the status other than it has been introduced and seems to have support of consumer advocacy groups. I list it first here because it is representative of a mindset change that I will address a bit later in the post.
2) New York State Department of Financial Services Regulation (23 NYCRR 500)
This is currently in effect as of March 1, 2017. However, full compliance for the parties required to be compliant is not required for eighteen (18) months. This law is for companies doing business within the State of New York in the banking/financial services and insurance businesses. Further, there is growing support for similar types of legislation in other states. Many are comparing the possible ripple to California’s SB 1386 which set the standard for many state data breach notification laws.
This is a relatively comprehensive law that starts with having a designated CISO (internal or 3rd Party provided) and includes a whole host of other information security related practices, including but not limited to ; program to detect security events, 3rd party vendor risk assessments, annual pen testing, secure development practices (SDL), a number of policy/procedure items (IR Plan, data retention, user privilege auditing) and use of qualified security practitioners for carrying out core security functions.
3) The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
This new regulation officially becomes law in May 2018. The idea behind the law is to give control of the use of personal data to the individual. This law impacts all of the 28 nations who are in the EU and any and every company operating in the EU. So, if you operate in the EU and collect any “personal data, this law has large implications and possible financial impact for your business:
"personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”
What are you required to do? You will need a data retention policy and to put a data protection officer in place, pseudonymisation of data – think encryption, have a data breach notification policy that includes reporting to an oversight agency, be prepared to pay fines for being out of compliance, implement a program of privacy by design and default and a number of other things. This is pretty sweeping legislation.
I have chosen these three examples of new legislation and proposed legislation because they fundamentally change the way you have been doing business at multiple levels. At the board level, you have to show cybersecurity expertise. Large public corporations who want to be in compliance with the SEC may have to have a cybersecurity expert on the board. This is going to be interesting. The reason that I added the proposed definition is that the pool for true expertise in information security that meet the criteria and has the ability to perform any “board level” function for a publicly traded company is extremely small. The next two impact not only publicly traded firms but a much wider swath of firms and they require a new “position” of CISO and Data Protection Officer. These are likely the same position and level in most firms. This means that to be in compliance, your org needs to add positions or responsibilities to your current positions. This is the mindset change I brought up earlier. At this point, legislators want people in the organization responsible for cybersecurity and they are mandating that firms put someone in place. Now the big question is, will those people get budget and ability to make changes? If there is a voice in the boardroom that actually understands infosec, maybe.
These new laws also create new burdens for the folks in the previously mentioned positions. At the low end, there are requirements for policy, procedure and program activities. These are relatively straight forward and can be built and maintained without too much issue or cost. Depending on where your existing information security program sits in the maturity stack, this is likely a relatively low bar for most professional firms. The other side of this is a requirement for new processes; SDL and Privacy by Design and Default. If you have ever been involved with an organization that is trying to implement SDL or adhere to Privacy by Design, you understand what a large undertaking it is. Many organizations operate without formal process and are really marketing and timeline driven when it comes to the development side of the house. We are talking about legislating that organizations implement things that are, by design, setup to ensure safer products not meeting timelines. In mature organizations, these two do not have to be mutually exclusive but when not implemented correctly, this can be incredibly contentious.
How is your organization impacted by this legislation? Well, it depends on your organization. Hopefully, you already have a competent CISO, policies and procedures (including data handling, retention, IR, etc), an SDL program and a developed relationship with 3rd party vendors to fill gaps anywhere you do not have appropriate internal resources. If you have that, you are going to be in relatively good shape. You will need someone in your organization to get familiar with the legislation and make sure that your understanding and application of the applicable law is truly being covered by your company’s implementation. If there is any question as to whether or not you are in compliance, get a third party involved to assist in figuring it out. In the case of the EU law, there are some pretty hefty fines (4-5% of worldwide revenue) and I get the sense that these large punitive fines are going to drive compliance more than anything previously has.
If you look at these laws and think that they do not currently impact your organization, think again. This is the future of what legislation for cybersecurity compliance is going to look like. More and more pushing the topic to higher levels (up to the board), creating programmatic requirements and making it punitive financially to not be in compliance is on the way. The sooner you embrace that this is the reality of doing business moving forward, the sooner you can get a plan in place and be compliant. This legislation is just an example of what is to come. We are legislating that cybersecurity is important and companies have a responsibility to get on board.
If you are interested in virtual CISO assistance, we know a number of folks qualified at varying levels. Or if you simply want to chat further about how your organization can prepare, please reach out.
About the Author
Chris Elbring is Managing Partner and CEO of Anvil Secure. Prior to founding Anvil, Elbring worked as CEO and CTO of a startup security software development firm, President of a boutique, regional security consulting firm, an independent technology and security consultant, Director of Software Development of a mobile, biometric firm and most recently as Senior Vice President of Research and Delivery at IOActive, Inc.