THE FUTURE OF CYBERSECURITY: STANDARDS AND REGULATION

Transcription

1 THE FUTURE OF CYBERSECURITY: STANDARDS AND REGULATION Paul Rosenzweig Red Branch Consulting PLLC

2 The Economics of Cybersecurity Non-Exclusive (Use by A does not prevent use by B) Exclusive (Use by A prevents use by B) Non-Rivalrous (Use by A does not affect use by B) Public Goods National Defense Clean Air Cybersecurity Threat Information Club Goods Private Club Movie Theater Secure Networks Rivalrous (use by A affects use by B) Common Pool Goods Fishing Grounds Parks Early Internet (?) Private Goods Shoes Automobiles Cybersecurity Firewalls Intrusion Detection Systems

3 Externalities in Private Goods

4 Classic Responses Private Ownership Regulation Taxation Government Control Problems with Regulatory Models Free Riders Rent Seekers/Regulatory Capture Cyber A Distributed and Dynamic Environment The soft answer Standard Setting

5 Where are we today?

6 The NIST Framework: Step 1: Prioritize and Scope. Step 2: Orient. Step 3: Create a Current Profile. Step 4: Conduct a Risk Assessment. Step 5: Create a Target Profile. Step 6: Determine, Analyze, and Prioritize Gaps. Step 7: Implement Action Plan.

7 Cybersecurity Framework

8

9 How Did I Do?

10 Incentives for Voluntary Compliance Cybersecurity Insurance Implies liability for non-compliance Grants Monetary incentives Process Preference DOD procurement preference or requirement Liability Limitation Safe harbor for compliance Streamline Regulations Easier access to regulatory system Public Recognition Shiny gold star Rate Recovery for Price Regulated Industries Better profits Cybersecurity Research More Inormation

11 Changing Regulatory Framework Recent Cases SEC Disclosure and Audits FTC -- Data breaches from inadequate security is an unfair business practice Litigation Cybersecurity as a breach of contract or a tort of negligence

12 SEC Disclosure and Audits October 2011 (Disclosure Guidance) Material affect (known incidents or potential incidents) Risk Factors Management Discussion and Analysis Description of Business Legal Proceedings Financial Disclosures (Pre- and Post-incident) April 2014 Examination of 50 broker-dealers and investment advisers Cyber questionnaire based on the NIST Framework

13 FTC v. Wyndham Hotel Unfair business practice under 5 of the FTA Russian hackers steal customer information Potential civil liability LabMD: FTC must disclose standards Summer 2015: FTC can set standards by consent decree

14 Two Litigation Cases PATCO v. People s Bank Breach of contract Russian mob steals PATCO s $ from bank PATCO sues Commercially reasonable cybersecurity measures Lone Star Bank v. Heartland Payment Tort of negligence Heartland loses customer payment info; Lone Star incurs costs Negligence and economic loss under NJ law

15 Implications for the Future Standards Liability Liability Insurance (Data breach only) Insurance Compliance Monitoring and Audits Audits and Insurance Assessment Assessment Safe Harbor So. New insurance products for cybersecurity failures Similar to data breach New audit requirements Public companies in particular New assessment opportunities Equivalent of UL for cyber systems

16 Guidance is flooding out you could write a book on it! Financial Services Information Sharing and Analysis Center (FS-ISAC) SIFMA Principles for Effective Cybersecurity Regulatory Guidance (Oct. 2014) SEC OCIE Cybersecurity Report (Feb. 2015) FINRA s February 2015 Report on Cybersecurity Practices (Feb. 2015) SEC Division of Investment Management issued Guidance Update: Cybersecurity Guidance (April 2015) DOJ issued Best Practices for Victim Responses and Reporting of Cyber Incidents (April 2015)

17 Private Sector Self Help Computer Fraud and Abuse Act (CFAA) no unauthorized access Private Sector hack back in self defense On own network v. outside network Preventive v. analytic v. destructive What about international law? Violation of other nations statutes? Laws of Piracy?

18 Read It. Or Watch it on TV