What are you trying to secure against Cyber Attack?



Similar documents
SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

No. 33 February 19, The President

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

Legislative Language

Summary of Privacy and Data Security Bills- 112 th Congress. Prepared for September 15, 2011 CT Privacy Forum

Actions and Recommendations (A/R) Summary

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

U.S. Department of Energy Washington, D.C.

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

DIVISION N CYBERSECURITY ACT OF 2015

CYBERSECURITY RISK MANAGEMENT

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

Cybersecurity and Information Sharing: Comparison of H.R and H.R. 1731

Public Law th Congress An Act

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

INFRAGARD.ORG. Portland FBI. Unclassified 1

S. ll IN THE SENATE OF THE UNITED STATES A BILL

Cyberprivacy and Cybersecurity for Health Data

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Middle Class Economics: Cybersecurity Updated August 7, 2015

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Presidential Summit Reveals Cybersecurity Concerns, Trends

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

How To Protect Yourself From Cyber Crime

Cybersecurity Primer

Department of Homeland Security

How To Write An Article On The European Cyberspace Policy And Security Strategy

AURORA Vulnerability Background

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

BSA GLOBAL CYBERSECURITY FRAMEWORK

U.S. Cyber Security Readiness

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Why you should adopt the NIST Cybersecurity Framework

Legislative Language

I. U.S. Government Privacy Laws

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Cybersecurity and Insurance Companies

Information Assurance Branch (IAB) Cybersecurity Best Practice for Executive Level Managers

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

National Health Information Sharing & Analysis Center. The National Health ISAC (NH-ISAC) NH-ISAC

The National Security Act of A Review

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Testimony of. Before the United States House of Representatives Committee on Oversight and Government Reform And the Committee on Homeland Security

Cybersecurity: Authoritative Reports and Resources

Perspectives on Cybersecurity and Its Legal Implications

SCAC Annual Conference. Cybersecurity Demystified

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

CONCEPTS IN CYBER SECURITY

Cybersecurity: Authoritative Reports and Resources

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

TITLE III INFORMATION SECURITY

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Why you should adopt the NIST Cybersecurity Framework

Transcription:

Cybersecurity Legal Landscape Bonnie Harrington Executive Counsel EHS and Product Safety & Cybersecurity GE Energy Management Imagination at work. What are you trying to secure against Cyber Attack? Personally Identifiable Information (PII) Personal Card Information (PCI) Personal Health Information (PHI) Intellectual Property Critical Infrastructure Customer Data Employee Data Big Data (IoT) Gov t Restricted Data 75 % of Compliance Officers aren t involved in managing cyber security risk * * 2014 Anti-Bribery and Corruption Benchmarking Report (Kroll and Compliance Week Survey) 2 1

A few points on Privacy and Data Protection United States Federal: No central regulator or overarching law Sector Specific (e.g., Surveillance, Financial Services, Healthcare) State: Most states and territories have PII breach notification laws some require regulator notification Europe EU Data Protection Regulation PII Adopted by Parliament March 2014 to replace member state national laws based on 1995 directive expected to be adopted in 2015 2017 effective date Consent, right to be forgotten/erasure, fines, data breach reporting/notification 3 Context: Existing Federal Cyber Law The Counterfeit Access Device and Computer Fraud & Abuse Act of 1984 Prohibits various attacks on federal computer systems and on those used by banks and in interstate and foreign commerce The Electronic Communications Privacy Act of 1987 Prohibits unauthorized electronic eavesdropping The Computer Security Act of 1987 Gave National Institute of Science & Technology (NIST) responsibility for developing security standards for USG computer system»except national security systems used for defense/intelligence (CNSS) Gave responsibility to Secretary of Commerce for promulgating electronic security standards The Paperwork Reduction Act of 1995 Gave OMB responsibility for developing federal agency cybersecurity policies The Clinger-Cohen Act of 1996 Agency heads responsible for ensuring adequacy of agency information security policies/procedures and established CIO positions in agencies 4 2

Context: Existing Federal Cyber Law, continued The Homeland Security Act of 2002 Gave DHS cybersecurity responsibilities, along with general responsibility for homeland security and critical infrastructure The Cyber Security Research and Development Act of 2002 Established cybersecurity research responsibilities in NIST The E- Government Act of 2002 Guide to federal IT management and initiatives to make services available online, includes cybersecurity requirements The Federal Information Security Management Act of 2002 (FISMA) Strengthened NIST and agency cybersecurity responsibilities, established federal incident center, made OMB responsible for promulgating federal cybersecurity standards No comprehensive Cyber Security Law 5 NERC background and authority Energy Policy Act of 2005 Title XII Section 1211 (Electric Reliability Standards) Amends Federal Power Act to grant FERC authority to regulate bulk power system reliability Directs FERC to designate an Electric Reliability Organization (ERO) Authorizes ERO to develop and enforce reliability standards, to include cyber security protection Limits FERC standards-setting authority approve, reject, remand for changes, or direct development of new standards 6 3

NERC cyber security toolkit CIP standards CIP-002: Critical asset designation CIP-003: Cyber security management controls CIP-004: Personnel security standards CIP-005: Electronic security perimeter (ESP) definition CIP-006: Physical security for ESP CIP-007: Electronic ESP security CIP-008: Incident reporting and response planning CIP-009: Recovery planning for cyber assets Mandatory, enforceable Alert system Industry Advisory Informational highlight issue or problem No response required Recommendation to Industry Recommends specific action Response required Essential Action Essential to grid reliability Requires NERC Board approval Response required Accountable, but not enforceable 7 Cybersecurity Executive Order February 2013 16 Critical Infrastructure Sectors NIST Cybersecurity Framework Developed by NIST with industry Version 1.0 released in Feb 2014 5 core functions: identify, protect, detect, respond and recover Voluntary and evolving Critical Infrastructure Cyber Community (C 3 ) Voluntary Program Identifies and notifies owners/operators of critical infrastructure Offers information sharing, technical support, training, assessments Cybersecurity Information Sharing Rapid dissemination of unclassified cyber threat reports to targets and expedited personnel clearances Victim notifications by the FBI Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food & Agriculture Government Facilities Healthcare & Public Health Information Technology Nuclear Reactors, Materials & Waste Transportation Systems Water & Wastewater Systems Focused on Critical Infrastructure 8 4

Agency Guidance on Cybersecurity 2011 SEC Guidance Regulated companies should disclose information about cybersecurity risks and cyber incidents in SEC filings consistent with general disclosure requirements Recent breaches have led to speculation of mandatory requirements in the future June 2014 SEC Chair Aguilar on Cyber Risks and the Boardroom Adopt the NIST framework for managing cyber security risk Assign oversight of cyber risk to a specific board committee, preferably a separate risk committee Assign in-house corporate expertise to manage cybersecurity risks on daily basis and report to the board regularly Preparedness: response plans that include how to determine extent of damage and how to disclose internally/externally 2014 DOJ/FTC Policy Statement Antitrust should not be a barrier to legitimate cybersecurity information sharing if proper safeguards in place Information appropriate for sharing: cybersecurity threats, incident reports, indicators, threat signatures, alerts Cannot share competitive information such as pricing, output or business plans 9 Cyber security policy landscape 5 key issues 1. Information sharing 2. Clarification of Federal authority 3. Critical infrastructure 4. Liability protections 5. Federal IT systems 10 5

Cyber legislation in the 113 th Congress By the numbers Senate Introduced and referred to committee Reported by committee Passed by Chamber Signed into law House 14 10 7 4 7 1 0 0 Lots of activity, but little movement beyond non-controversial measures Progress hamstrung by competing approaches House leadership piecemeal legislation Senate leadership comprehensive legislation White House focused on NIST Framework and Agency actions 11 Post-election outlook Lame Duck session Remote chance of seeing cyber provisions in Continuing Resolution Pre-conference discussions suggest support for the following measures: FISMA Reform Info-sharing (CISPA/CISA) Cyber R&D SAFETY Act amendment (NCCIP) 114 th Congress Senate Dems likely to follow White House retreat from focus on comprehensive legislation Republican victory in mid-terms could break cyber logjam in Congress White House Continued focus on NIST Cyber Framework further adoption, Version 2.0 Most activity likely to occur at Agency level sector-specific measures 12 6

EU: Cybersecurity Strategy Strategy for open, safe and secure cyberspace in response to risks, incidents and cybercrime issued February 7, 2013 Network & Information Security Directive (NIS Directive) adopted by Parliament in March 2014: Common requirements for NIS strategy, cooperation plan, competent authority, computer emergency response team (CERT) Common NIS standards for authorities and critical infrastructure providers (energy, transport, banking, stock exchange, health) Cooperation among Member States early warnings, response, drills Notification of significant impact events Audit power, referral of criminal and data protection breaches 13 What to do now Don t be the 75%! Identify what you are trying to protect Are your policies in place and up to date? Are you testing your policies and procedures through drills? For Products: are you doing product testing and vulnerability assessments? Apply the NIST Framework how do you stand up in IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER for your cyber risk areas? Are you ready for potential mandatory cyber risk and incident reporting? Is cybersecurity risk being managed by your board? Every compliance officer needs to decide whether it s time for them to be Captain Kirk and boldly go into cyber... * * Alan Brill, Sr. Managing Director, Kroll, 2014 Anti-Bribery and Corruption Benchmarking Report (Kroll and Compliance Week Survey) 14 7

Web Links 2011 SEC Guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm June 2014 SEC Chair Aguilar on Cyber Risks and the Boardroom: http://www.sec.gov/news/speech/detail/speech/1370542057946#.vd27iu0tcm8 2014 DOJ/FTC Policy Statement: http://www.justice.gov/atr/public/guidelines/305027.pdf Executive Order 13636, Improving Critical Infrastructure: http://www.whitehouse.gov/thepress-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214-final.pdf Critical Infrastructure Cyber Community (C3) Voluntary Program: http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%c2%b3-voluntaryprogram 2014 Anti-Bribery and Corruption Benchmarking Report: Untangling the Web of Risk and Compliance, A collaboration between Kroll and Compliance Week: http://www.kroll.com/resources/reports/compliance-week-kroll-anti-corruption-bribery-report/ 15 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information