For those who were around for the collapse of Enron, the pattern was clear. Failure of management oversight into accounting controls was blamed (at least partially) on the failure of Enron and the entire market collapse that followed. The legislative response from the financial regulators was the Sarbanes-Oxley Act. (Also known as Sarbox or SOX.) The idea was that if management had greater accountability for internal accounting controls, a future Enron could be prevented.
A parallel universe is now developing in the world of cyber security. But this cause-and-effect linkage is much less explicit. Instead, this idea of accountability for internal cyber controls is being introduced by a few key pillars. Once these pillars converge, we will effectively have a Sarbanes-like structure for cyber security. All companies should be aware of this trend to properly prepare for the future of cyber security governance.
A Failure of Internal Controls
In much the same way that Sarbox was a response to failures of internal accounting controls, US and EU legislators are responding to data breaches as failures of internal cyber security controls. In other words, common cyber security “leading practices” are not being followed, leading to data breaches across the globe. So regulators are attempting to address this by requiring management accountability in cyber security.
The difference, of course, is that while public accounting has had “standards” for many years, no such “agreed upon procedures” exist in the world of cyber security. Various attempts have been made at a government level, including the NIST-CSF in the US and the Cyber Essentials in the UK. However, these attempts fall short of the details needed to function as an established baseline of internal controls, leaving organizations to fend for themselves.
Pillar 1: NYS-DFS Accountability and Attestation
One of the most recent regulatory attempts at management accountability is the New York State Department of Financial Services Regulation (“NYS-DFS”) 23 NYCRR 500. While this regulation was only targeted at financial entities doing business in New York, the broad definitions in the law made it apply to hundreds of thousands of businesses. Furthermore, the NYS-DFS framework is being used as a NAIC “model law” that is already adopted by five other states.
Where NYS-DFS stands out from other state-level regulations is the level of management accountability. Section 5.0 of the regulation requires that a senior executive of the firm “sign off” on the effectiveness of the organizations’ cyber security controls.
Section 500.17 Notices to Superintendent. Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year.
From a legislative perspective, this is similar to the Sarbanes-Oxley requirement that executive management personally attest to the effectiveness of financial controls. This created a level of accountability that was unprecedented, and trickled down to an entire industry of “Governance, Risk and Compliance” tools to developed to ensure that management had the proper visibility into the organization.
Sarbox was careful to defer the reference to “internal control frameworks” as a third-party exercise. For example, FASB (Financial Accounting Standards Board) and COBIT (Control Objectives for Information and Related Technologies ) could be leveraged for determining internal controls.
NYS-DFS, however, took the unfortunate step of trying to outline its own list of cyber security requirements. One can only guess that this was in response to the lack of existing cyber security standards. In any case, the precedent has been established: Senior management is going to be accountable for the implementation of proper cyber security.
Pillar 2: GDPR and Contract Remedies
The General Data Protection Regulation (GDPR) is also setting some important precedents relating to management accountability. One of the key ideas of GDPR is to maintain security of PII in the supply chain by requiring third-party “Processors” to establish a formal information security program. In addition, GDPR requires that specific contracts be created to define the nature of the data processing.
Part of the governance structure is creating a level of management accountability from the processor. The controls for protecting information must be formally documented and committed to by senior management by “binding instruments”
Art. 40 GDPR Codes of conduct (3)
Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
Unlike NYS-DFS, GDPR does not reference any specific set of internal cyber security controls. However, GDPR essentially requires the organization to adopt a set of controls and then have management attest to these controls via contracts. So while NYS-DFS does reference third-party security, GDPR puts teeth into the requirement for a legal ‘wrapper’ around the governance program.
Pillar 3: SEC and Public Disclosure
Perhaps the most logical place for Sarbox-like cyber security controls to mature into market is with the SEC. After Enron and Sarbox, management was required to disclose “Significant Financial Risks” in corporate filings such as the 10-K and 10-Q. The SEC has already indicated that organizations should disclose “Material Cyber Risks” as part of their public filings [17 CFR Parts 229 and 249].
Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are
subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
However, today there is little guidance to determine what a “Material” cyber risk might be. In any case, if we take the financial accountability analogy to its logical conclusion, eventually the SEC will require some type of formal management disclosure in public filings. This will leave organizations scrambling once again to determine a proper set of controls that can be used as a basis for analysis.
NYS-DFS has a similar requirements for disclosure with virtually the same language. The Superintendent must be notified of any Cybersecurity “Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. ” [Sec. 500.17]
Accountability and Attestation
These trends are clearly pointing in one direction: Senior Management within an organization must be prepared to formally understand and attest to the organization’s cyber risk and readiness. In addition, the organization must understand how its commitments to external parties are represented in legal contracts. This creates a new level of interaction and communication between the cyber and legal functions of the organization.
Preparing for the Future (that’s already here)
While this is still no single law that explicitly requires these key elements, parts are already in place. So how can an organization prepare for the future? There are the fundamental steps:
- Adopt a formal information security and data privacy control framework that addresses key risks and regulatory requirements.
- Document the control framework with written policies, standards and procedures and organizational roles and responsibilities.
- Assign accountability for the implement and validation of the control framework
- Validate the controls according to an established schedule. Key controls should be validated at least once annually.
- Preserve the “artifacts” and evidence of compliance for a period of 5-7 years.
- Review and understand the organization’s contractual and legal obligations with third-parties and adjust accordingly.
While these steps are not simple, they are not impossible by any means – even with limited resources. The key is to adopt a structure of internal cyber security controls that works.
The Information Shield Approach
Information Shield provides an approach to dramatically simplify the process of defining, documenting and validating a cyber security program. Using our Compliance Shield platform, organizations can build a robust and defensible security program in minutes. Once defined, the organization can then document and track management accountability and compliance, leading to an Information Shield Cyber Certification. Finally, compliance evidence and artifacts can be shared with auditors and third-parties via secure web portal.