Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

Decoding New Cyber Regs For Midsize Businesses FEATURES MIDDLE­MARKET TRENDS INTERVIEWS

advertisement 
FEATURES
MIDDLE­MARKET TRENDS
INTERVIEWS
POLICY
RESEARCH
ACG NEWS
Decoding New Cyber Regs For Midsize Businesses
ISRAEL MARTINEZ AND RICHARD SCHROTH | FEBRUARY 9TH, 2016
Mail
Share
Tweet
Share
Share
Share
True to the discussion in our last MMG article, “A New Year for Cybersecurity: What to Expect in 2016,” new federal
regulations governing cybersecurity are already taking shape. The Cybersecurity Act of 2015 was passed in late
December as part of the 2016 omnibus spending package; it signals the government’s intent to crack down on
cybercrime. We’ll take a look at some of the areas where this law will impact small and midsize U.S. businesses.
First, we should stipulate that no one knows with certainty the consequences of the new regulations because the
details of implementation and enforcement have yet to be tested in the field, including in the government and private
sectors, and eventually, the courts.
We examined the law in great detail as part of a private sector Enterprise Risk Management Council that we
organized during the fourth quarter of 2015. It included general counsel, CEO advisers, former members of the Public
Accounting Oversight Board (SEC enforcement), private sector executives, academic experts, former intelligence
officers and prosecutors, and others aiming to develop a balanced approach to the implementation of cybersecurity
requirements for the private sector. We drafted the first critical path document based on the deadlines and
deliverables in the new government bill and in February reviewed our thoughts and observations with the Department
of Homeland Security. There is a lot to be digested and implemented this year. It is clear that DHS, which has been
tasked with implementing the new law, has targeted specific milestones. U.S. businesses of all sizes will begin to feel
the shift.
The Cybersecurity Act of 2015 is divided into four major sections. This article will focus on Title I, Cybersecurity
Information Sharing. Most of the considerations for small to medium­sized businesses are contained here. In effect,
the act establishes rules for a digital neighborhood watch program that assigns all parties in business a moral
responsibility to report how, when and even why cybercriminals are digitally breaking into our cyberhomes. It’s
basically saying, “If you see something, say something, and the government will provide liability protection for
reporting the information.” Here are some important takeaways:
1.DHS is holding the bag. Prior to the new law, experiencing a cybercompromise was akin to having your house
broken into and finding city, state, county and federal law enforcement collecting information to help you without
necessarily coordinating with each other through one responsible party. Now the Department of Homeland Security is
in charge of collecting, protecting and distributing relevant cyberinformation; that’s an important first step toward
achieving accountability. The law stipulates that DHS is responsible for collecting and sharing cyberinformation with
other agencies as well as “good neighbors” in the private sector. One downside is that today there is a method for
reporting known cybervulnerabilities to a national database, Common Vulnerabilities and Exposures. Because it’s a
public source, bad actors can also access it and then exploit the newfound information.
2.Cyber jargon is defined. Terms ranging from “cybersecurity threat” to “threat indicators,” “defensive measures”
MULTIMEDIA
S
earch The Site
and “responses” are explained. These definitions are still not perfect, but they do provide a baseline for cybersecurity
providers, managed services and consultants who had struggled with subtle differences in the meanings of these
terms and their legal implications. The definitions also help organizations manage priorities at an enterprise risk
management level, ensuring that everyone is on the same page.
3.The observation tables are turned. Title I of the Cybersecurity Act appears to grant network operators greater
rights in monitoring, defending and sharing information beyond “provider exceptions,” offering a tricky balance on a
sticky privacy issue. In effect, within limits, the private sector and government can monitor hacker communication if
there are “reasonable grounds” to assume those parties are at risk. This helps to level the playing field for the private
sector so the good guys can call for backup when they see suspicious activity. In the past, the good guys might have
received the equivalent of a ticket or a reprimand for watching the bad actor’s activity in the first place, even on public
property networks. We see cybersecurity providers and ISPs extending protection with this provision, but we have a
long way to go to before such measures will be effective.
4.The government wants you to tell it like it is. One of the greatest barriers to companies sharing cyberthreat
information is the perceived liability associated with reporting. Although actual liability is a rare occurrence, technology
conferences abound with horror stories about the unintended consequences of information sharing, not to mention
general counsel’s recommendations to “keep a lid on it.” The Cybersecurity Act of 2015 appears to provide for
exemption of liability if companies are reporting cyberthreats in good faith to DHS or to organizations reporting on
their behalf to DHS. By doing so, the government is taking the pressure off small and midsize companies to enable
reporting. Bottom line: If you don’t report, your company may be at risk when and if the hard questions are litigated in
court.
Now is the time to start sharing your known compromises or breaches with DHS through its partner, the Multi­State
Information Sharing & Analysis Center. Cyberthreat as an enterprise risk is clearly becoming an enforceable fiduciary
responsibility companies must manage.
Israel Martinez is president and CEO of Axon Global, a cyber­counterintelligence company recognized by the
Department of Homeland Security as a leader in its field. He is certified by the DHS in cyber­counterterrorism and
defense, and has more than 20 years of experience in enterprise risk management and governance.
Richard Schroth, Ph.D., is managing director for the The Newport Board Group’s global cyberpractice. He actively
leads world­class teams of cyberprofessionals and board­level advisers seeking to minimize cyberrisk with public
boards and private equity firms. Additionally, Schroth is a senior adviser to the CEO of ACG for cybersecurity and
serves as the executive director of The American University’s Kogod School of Business Cyber Governance Center in
Washington, D.C.
Related documents
Department of Homeland Security Secretary’s Honors Program Cyber Student Volunteer Initiative Overview
Department of Homeland Security Secretary’s Honors Program Cyber Student Volunteer Initiative Overview
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
Cybersecuring Facilities and Facilities Systems - National Academy of Sciences... Federal Facility Council (FFC) – May 2015
Cybersecuring Facilities and Facilities Systems - National Academy of Sciences... Federal Facility Council (FFC) – May 2015
Fact Sheet on U.S.-India Strengthening Cooperation On Cybersecurity
Fact Sheet on U.S.-India Strengthening Cooperation On Cybersecurity
Download
advertisement