The document summarizes key topics from a presentation on integrating federal regulatory initiatives related to data security laws and regulations. It discusses the FTC's authority to enforce reasonable security practices and outlines the SEC's transparency standards for releasing details about cyber incidents. The summary is:
The FTC enforces reasonable security standards through Section 5 of the FTC Act and establishes pillars of assessment, risk management, and response planning. The SEC provides disclosure guidelines requiring details on cyber risks, controls, and procedures, and may turn guidelines into standards for transparency. The presentation also reviewed responding to SEC inquiries regarding data breach policies.
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
1. Integrating the Latest Federal Regulatory Initiatives
into Practice through an Examination of
Data Security Laws and Regulations
Robert Craig, CISSP.
Direct Support to the CISO
Insider Threat
Intelligence Agency
February x, 2015
This was intended for a Marcus Evans event to be
held in Washington DC in February 2015, which
was cancelled. There were a few more SEC
slides to be developed.
2. Topics
Reviewing FTC regulation and
compliance policies.
Releasing details on an attack in
compliance with SEC’s transparency
standards.
Predicting the future directions of
federal regulations
3. NMCIWG: Daily Computer Threat News
Tuesday, January 06, 2015
• The hidden dangers of third party code in free apps
• PayPal complete account hijacking bug gets fix, no award given
• Morgan Stanley says wealth management employee stole client
data
• Three Million MoonPig customer accounts exposed by flaw
Monday, January 05, 2015
• Target hackers hit OneStopParking.com
• Microsoft Goes After More Tech Support Scammers
• 2014 was the year hacking became the norm
• Lizard Squad launches $6 DDoS tool
• Snooki's Instagram Is Hacked
• 5 Small Business Takeaways from Sony’s Hack
• Majority of 4G USB Modems Vulnerable And SIM Cards Exploitable
Via SMS
• Sony: PlayStation Network is back online now, really
• Exploit for Android same origin policy flaw is leveraged against
Facebook users
• Internet Systems Consortium website has been compromised to
serve malware
• FBI Probes If Banks Hacked Back as Firms Explore Cyber
Offensive
• Lizard Squad Member Said Group Provided Log-Ins Used In Sony
Attack
• Low-risk 'worm' removed at hacked South Korea nuclear operator
• Hackers Compromise Official Bryan Adams Website
• France Passes Online Surveillance Law That Makes It Legal to Spy
on Internet Users
Monday, December 29, 2014
• Malware families distributed through malicious campaign
targeting WordPress sites
• Rackspace restored after DDOS takes out DNS
• FBI Investigating Hacker Group over Xbox Live and
Playstation Network Attacks
• Hackers claim to have exposed Sony, PlayStation personal
data
• Bad, bad Internet news: Internet Systems Consortium site
hacked
• Hacker Generates Fingerprint of German Defense Minister
from Public Photos
• Cyber attack on Angela Merkel aide: Report
• Beware! Hackers are eyeing your car’s safety features to
extort money
• South Korea Says Nuclear Reactors Safe After Cyber-attacks
• Thunderstrike Mac Attack Achieves Persistence
• U.S. firm finds malware targeting visitors to Afghan govt
websites
• Children’s Hospital pays $40,000 over stolen data
• Meet Anunak - The Hacker Crew That Owned Staples and
Earned $18m In 2014
5. “Only federal agency with the authority to enforce such a standard across broad
swaths of the U.S. economy”.
Main legal authority in the data security space is provided by:
Section 5 of the FTC Act
Ability to stop unfair or deceptive acts or practices.
Other data security enforcement authorities:
Gramm-Leach-Bliley Act and the Safeguards Rule,
Fair Credit Reporting Act,
The HIPAA HITECH Act,
Children’s Online Privacy Protection Act and its implementing rule.
Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center
for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014
Federal Trade Commission
Legal Authorities
FTC
FTC Act Section 5
Unfair or Deceptive Acts or
Practices
United States Code
Title 15 Chapter 2,
Subchapter I, Section 45
Public Law 109-455
6. Practices the ‘pillars of reasonable security’
Established through settlements (> 50 data security cases).
Assessing and addressing security risks must be a continuous process.
There is no single, right way to do these assessments.
Depends on the volume and sensitivity of information the company holds
Cost of the tools that are available to address vulnerabilities, and other
factors.
NIST Framework takes a similar approach by identifying different risk
management practices and defining different levels of implementation.
Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center
for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014
Federal Trade Commission
Security ‘Threshold’
FTC
7. Companies are accountable for their practices and the representations they
make.
FTC applies Section 5 to other commercial activities is considered appropriate
and consistent.
Actions are brought when systemic failures
in a company’s data security practices are discovered.
Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center
for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014
Federal Trade Commission
‘reasonable security practices‘
FTC
FTC’s data security enforcement actions initially focused on deception.
The key difference between unfairness and deception is that unfairness may be
applicable even in the absence of a representation or omission in information
presented to consumers.
Recent data security cases show that Section 5 is up to the task of protecting
consumers in the rapidly changing environment of mobile technology and ‘apps’.
8. Emphasizes companies need to implement practices that are appropriate for
their businesses.
Do a risk assessment.
Minimize personal information about consumers.
Implement technical and physical safeguards.
Train employees to handle personal information properly.
Have a plan in place to respond to any security incidents that occur.
Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center
for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014
Federal Trade Commission
‘reasonable security practices‘
FTC
9. “Section 5 is up to the task of protecting consumers in the rapidly changing
environment of mobile technologies”.
Mobile devices and ‘apps’ can leave a broad range of sensitive personal
information at risk.
FTC brought enforcement actions against two popular ‘apps’.
Credit Karma and Fandango.
‘Apps’ contained flawed implementations of the Secure Sockets Layer (SSL)
protocol, which is a common means for encrypting data in transit.
Susceptible to “man in the middle attacks,” in which an impostor could pose as
a legitimate data recipient and collect highly sensitive information from
consumers – including Social Security numbers in the case of Credit Karma, and
credit card information in the case of Fandango.
FTC alleged companies had overrode more secure default settings and failed to
test adequately.
Source: On the Front Lines: The FTC’s Role in Data Security, U.S. Federal Trade Commissioner Julie Brill, Keynote Address Before the Center
for Strategic and International Studies, “Stepping into the Fray: The Role of Independent Agencies in Cybersecurity” September 17, 2014
Federal Trade Commission
Mobile Technology
FTC
11. SEC issued a set of disclosure guidelines in 2011.
Companies to disclose any potential cyber risk.
Possible effects of that risk.
Status of internal controls.
Risk management procedures in place.
SEC is revisiting the issue and considering turning guidelines into standards.
Desired Outcome: Companies will have to live up to the level of transparency their investors
have come to expect.
Source: The Security Ratings Blog, “How can the SEC become the primary regulator of corporate cyber security?”, Posted by Ben
Fagan, LinkedIn, Aug 6, 2014 9:00:00 AM
Releasing details of a cyber incident
Compliance with the SEC’s transparency standards
SEC
12. Minimum standard for breach transparency would hold companies accountable for their
security procedures.
Desired Outcome: To make it more likely that companies would regularly measure security
performance.
Desired Outcome: Rather than be subject to investigation by the SEC, companies would
hopefully opt to improve their standing with the Commission and shareholders by properly
reporting security breaches.
Source: The Security Ratings Blog, “How can the SEC become the primary regulator of corporate cyber security?”, Posted by Ben
Fagan, LinkedIn, Aug 6, 2014 9:00:00 AM
Releasing details of a cyber incident
Compliance with the SEC’s transparency standards
SEC
13. Securities and Exchange Commission
Division of Corporation Finance
CF Disclosure Guidance: Topic No. 2 “Cybersecurity” October 13, 2011
Laws are designed to elicit disclosure of timely, comprehensive, and accurate
information.
Risks and events that a reasonable investor would consider important to an
investment decision.2
Material information regarding cybersecurity risks and cyber incidents is
required to be disclosed:
In order to make other required disclosures, in light of the circumstances under
which they are made, not misleading.3
Disclose the risk of cyber incidents if issues are among the most significant
factors that make an investment in the company speculative or risky.4
SEC
14. SEC – Disclosure Guidance : Risk Factors
Determining if a risk factor disclosure is required:
Evaluate cybersecurity risks and take into account all available relevant information.
Prior cyber incidents and the severity and frequency of those incidents.
Probability of cyber incidents occurring.
Quantitative and qualitative magnitude of those risks.
Potential costs and other consequences from misappropriation of assets or sensitive
information, corruption of data or operational disruption.
Adequacy of preventative actions taken to reduce cybersecurity risks (context of the
industry in which they operate).
Cybersecurity risk disclosure must adequately describe the nature of the
material risks and specify how each risk affects the registrant.
Do not present risks that could apply to any issuer or any offering and avoid
generic risk factor disclosure.5
SEC
15. Disclosures may include:
Discussion of business or operations that give rise to material
cybersecurity risks and the potential costs and consequences.
Extent of outsourcing functions that have material cybersecurity risks.
Description of those functions and how those risks are addressed.
Description of cyber incidents that have been experienced that are
individually, or in the aggregate, material to incident.
Include a description of the costs and other consequences.
Risks related to cyber incidents that may remain undetected for an
extended period.
Description of relevant insurance coverage.
SEC – Disclosure Guidance : Description
SEC
16. Disclose known or threatened cyber incidents to place the discussion of
cybersecurity risks in context.
For example, if a registrant experienced a material cyber attack in which malware
was embedded in its systems and customer data was compromised, it likely would
not be sufficient for the registrant to disclose that there is a risk that such an attack
may occur.
Instead, as part of a broader discussion of malware or other similar attacks that
pose a particular risk, the registrant may need to discuss the occurrence of the
specific attack and its known and potential costs and other consequences.
Provide disclosure tailored to particular circumstances.
Avoid generic “boilerplate” disclosure.
Provide sufficient disclosure to allow investors to appreciate the nature of the
risks faced.
SEC reiterates that the federal securities laws do not require disclosure that
itself would compromise cybersecurity.
SEC – Disclosure Guidance : Description (continued)
SEC
17. Responding to SEC Inquiries Concerning:
Data Breach and Data Security Policies
Jurisdiction over the policies and practices of the securities industry
Ensures the integrity of the securities exchanges, and provide investor
protection.
Conducts periodic examinations of industry participants
Investment Banks, Asset Managers, Hedge Funds, and Mutual Funds
Requires regulated entities to perform a risk assessment of various
cybersecurity risks and adopt written policies and procedures.
Source: Marc Powers on October 28, 2014 Posted in http://www.dataprivacymonitor.com/category/data-breaches/
SEC
So the fact that there’s an isolated vulnerability in a product or service that a company offers, or even the fact that a company suffers a breach, does not mean that the FTC will come calling, let alone file a lawsuit.
It is the company that decides what data to collect, how to use it, and when – if ever – to get rid of it.
Do a risk assessment. Companies should know what information they have, how it flows through their enterprise, what kind of access employees and third parties have to this information, and what vulnerabilities could compromise its confidentiality, integrity, or availability.
Minimize personal information about consumers. Limiting the consumer information that companies collect and retain to what is necessary to fulfill legitimate business needs will help reduce unnecessary security risks.
Implement technical and physical safeguards. Security measures like firewalls, strong passwords, and limiting the circumstances under which sensitive personal information may be stored on laptops are important but not sufficient.
Protecting information “the old fashioned way” – by ensuring that back up tapes, CDs, external hard drives, USB thumbdrives and the like are locked up, and securely destroyed when no longer needed – is a risk reducing complement to security measures deployed on computers and networks.
Train employees to handle personal information properly.
Have a plan in place to respond to any security incidents that occur.
Target’s infamous security breach in 2013 was a highly publicized event. Some have questioned why it took Target four days to publically disclose the breach of its customers’ sensitive information, saying that the retailer had the responsibility to inform customers as soon as the problem was discovered. According to CNBC, Target Chairman and CEO Gregg Steinhafel, claims the four day period from security breach to public disclosure was actually fast, considering the retailer identified, investigated and took security actions during that period.
John Mutch, CEO of BeyondTrust, reported to Forbes that 27 of the largest companies that reported cyber breaches claimed to have suffered no financial losses. Evidence, however, indicated otherwise. Sony doled out $171 million to clean up their incident, while Heartland Payment Systems lost an estimated $140 million.
Target’s infamous security breach in 2013 was a highly publicized event. Some have questioned why it took Target four days to publically disclose the breach of its customers’ sensitive information, saying that the retailer had the responsibility to inform customers as soon as the problem was discovered. According to CNBC, Target Chairman and CEO Gregg Steinhafel, claims the four day period from security breach to public disclosure was actually fast, considering the retailer identified, investigated and took security actions during that period.
John Mutch, CEO of BeyondTrust, reported to Forbes that 27 of the largest companies that reported cyber breaches claimed to have suffered no financial losses. Evidence, however, indicated otherwise. Sony doled out $171 million to clean up their incident, while Heartland Payment Systems lost an estimated $140 million.
2 The information in this disclosure guidance is intended to assist registrants in preparing disclosure required in registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934. In order to maintain the accuracy and completeness of information in effective shelf registration statements, registrants may also need to consider whether it is necessary to file reports on Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents. See Item 5(a) of Form F-3 and Item 11(a) of Form S-3.
3 Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9. Information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available. See Basic Inc. v. Levinson, 485 U.S. 224 (1988); and TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976). Registrants also should consider the antifraud provisions of the federal securities laws, which apply to statements and omissions both inside and outside of Commission filings. See Securities Act Section 17(a); Exchange Act Section 10(b); and Exchange Act Rule 10b-5.
4 See Item 503(c) of Regulation S-K; and Form 20-F, Item 3.D.