What are you trying to secure against Cyber Attack?

Transcription

1 Cybersecurity Legal Landscape Bonnie Harrington Executive Counsel EHS and Product Safety & Cybersecurity GE Energy Management Imagination at work. What are you trying to secure against Cyber Attack? Personally Identifiable Information (PII) Personal Card Information (PCI) Personal Health Information (PHI) Intellectual Property Critical Infrastructure Customer Data Employee Data Big Data (IoT) Gov t Restricted Data 75 % of Compliance Officers aren t involved in managing cyber security risk * * 2014 Anti-Bribery and Corruption Benchmarking Report (Kroll and Compliance Week Survey) 2 1

2 A few points on Privacy and Data Protection United States Federal: No central regulator or overarching law Sector Specific (e.g., Surveillance, Financial Services, Healthcare) State: Most states and territories have PII breach notification laws some require regulator notification Europe EU Data Protection Regulation PII Adopted by Parliament March 2014 to replace member state national laws based on 1995 directive expected to be adopted in effective date Consent, right to be forgotten/erasure, fines, data breach reporting/notification 3 Context: Existing Federal Cyber Law The Counterfeit Access Device and Computer Fraud & Abuse Act of 1984 Prohibits various attacks on federal computer systems and on those used by banks and in interstate and foreign commerce The Electronic Communications Privacy Act of 1987 Prohibits unauthorized electronic eavesdropping The Computer Security Act of 1987 Gave National Institute of Science & Technology (NIST) responsibility for developing security standards for USG computer system»except national security systems used for defense/intelligence (CNSS) Gave responsibility to Secretary of Commerce for promulgating electronic security standards The Paperwork Reduction Act of 1995 Gave OMB responsibility for developing federal agency cybersecurity policies The Clinger-Cohen Act of 1996 Agency heads responsible for ensuring adequacy of agency information security policies/procedures and established CIO positions in agencies 4 2

3 Context: Existing Federal Cyber Law, continued The Homeland Security Act of 2002 Gave DHS cybersecurity responsibilities, along with general responsibility for homeland security and critical infrastructure The Cyber Security Research and Development Act of 2002 Established cybersecurity research responsibilities in NIST The E- Government Act of 2002 Guide to federal IT management and initiatives to make services available online, includes cybersecurity requirements The Federal Information Security Management Act of 2002 (FISMA) Strengthened NIST and agency cybersecurity responsibilities, established federal incident center, made OMB responsible for promulgating federal cybersecurity standards No comprehensive Cyber Security Law 5 NERC background and authority Energy Policy Act of 2005 Title XII Section 1211 (Electric Reliability Standards) Amends Federal Power Act to grant FERC authority to regulate bulk power system reliability Directs FERC to designate an Electric Reliability Organization (ERO) Authorizes ERO to develop and enforce reliability standards, to include cyber security protection Limits FERC standards-setting authority approve, reject, remand for changes, or direct development of new standards 6 3

4 NERC cyber security toolkit CIP standards CIP-002: Critical asset designation CIP-003: Cyber security management controls CIP-004: Personnel security standards CIP-005: Electronic security perimeter (ESP) definition CIP-006: Physical security for ESP CIP-007: Electronic ESP security CIP-008: Incident reporting and response planning CIP-009: Recovery planning for cyber assets Mandatory, enforceable Alert system Industry Advisory Informational highlight issue or problem No response required Recommendation to Industry Recommends specific action Response required Essential Action Essential to grid reliability Requires NERC Board approval Response required Accountable, but not enforceable 7 Cybersecurity Executive Order February Critical Infrastructure Sectors NIST Cybersecurity Framework Developed by NIST with industry Version 1.0 released in Feb core functions: identify, protect, detect, respond and recover Voluntary and evolving Critical Infrastructure Cyber Community (C 3 ) Voluntary Program Identifies and notifies owners/operators of critical infrastructure Offers information sharing, technical support, training, assessments Cybersecurity Information Sharing Rapid dissemination of unclassified cyber threat reports to targets and expedited personnel clearances Victim notifications by the FBI Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food & Agriculture Government Facilities Healthcare & Public Health Information Technology Nuclear Reactors, Materials & Waste Transportation Systems Water & Wastewater Systems Focused on Critical Infrastructure 8 4

5 Agency Guidance on Cybersecurity 2011 SEC Guidance Regulated companies should disclose information about cybersecurity risks and cyber incidents in SEC filings consistent with general disclosure requirements Recent breaches have led to speculation of mandatory requirements in the future June 2014 SEC Chair Aguilar on Cyber Risks and the Boardroom Adopt the NIST framework for managing cyber security risk Assign oversight of cyber risk to a specific board committee, preferably a separate risk committee Assign in-house corporate expertise to manage cybersecurity risks on daily basis and report to the board regularly Preparedness: response plans that include how to determine extent of damage and how to disclose internally/externally 2014 DOJ/FTC Policy Statement Antitrust should not be a barrier to legitimate cybersecurity information sharing if proper safeguards in place Information appropriate for sharing: cybersecurity threats, incident reports, indicators, threat signatures, alerts Cannot share competitive information such as pricing, output or business plans 9 Cyber security policy landscape 5 key issues 1. Information sharing 2. Clarification of Federal authority 3. Critical infrastructure 4. Liability protections 5. Federal IT systems 10 5

6 Cyber legislation in the 113 th Congress By the numbers Senate Introduced and referred to committee Reported by committee Passed by Chamber Signed into law House Lots of activity, but little movement beyond non-controversial measures Progress hamstrung by competing approaches House leadership piecemeal legislation Senate leadership comprehensive legislation White House focused on NIST Framework and Agency actions 11 Post-election outlook Lame Duck session Remote chance of seeing cyber provisions in Continuing Resolution Pre-conference discussions suggest support for the following measures: FISMA Reform Info-sharing (CISPA/CISA) Cyber R&D SAFETY Act amendment (NCCIP) 114 th Congress Senate Dems likely to follow White House retreat from focus on comprehensive legislation Republican victory in mid-terms could break cyber logjam in Congress White House Continued focus on NIST Cyber Framework further adoption, Version 2.0 Most activity likely to occur at Agency level sector-specific measures 12 6

7 EU: Cybersecurity Strategy Strategy for open, safe and secure cyberspace in response to risks, incidents and cybercrime issued February 7, 2013 Network & Information Security Directive (NIS Directive) adopted by Parliament in March 2014: Common requirements for NIS strategy, cooperation plan, competent authority, computer emergency response team (CERT) Common NIS standards for authorities and critical infrastructure providers (energy, transport, banking, stock exchange, health) Cooperation among Member States early warnings, response, drills Notification of significant impact events Audit power, referral of criminal and data protection breaches 13 What to do now Don t be the 75%! Identify what you are trying to protect Are your policies in place and up to date? Are you testing your policies and procedures through drills? For Products: are you doing product testing and vulnerability assessments? Apply the NIST Framework how do you stand up in IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER for your cyber risk areas? Are you ready for potential mandatory cyber risk and incident reporting? Is cybersecurity risk being managed by your board? Every compliance officer needs to decide whether it s time for them to be Captain Kirk and boldly go into cyber... * * Alan Brill, Sr. Managing Director, Kroll, 2014 Anti-Bribery and Corruption Benchmarking Report (Kroll and Compliance Week Survey) 14 7

8 Web Links 2011 SEC Guidance: June 2014 SEC Chair Aguilar on Cyber Risks and the Boardroom: DOJ/FTC Policy Statement: Executive Order 13636, Improving Critical Infrastructure: NIST Cybersecurity Framework: Critical Infrastructure Cyber Community (C3) Voluntary Program: Anti-Bribery and Corruption Benchmarking Report: Untangling the Web of Risk and Compliance, A collaboration between Kroll and Compliance Week: