Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Human Resource Management

Document 10742384

PwC’s Global Economic Crime Survey 2014 Indicates a Greater Occurrence of Fraud in U.S. Companies Compared to the Rest of the World
United States
International PwC Sites
Home
US press room home
US press releases
US media contacts
Global press room
Publications
About us
Global Business issues
Services
Industries
Research & insights
About us
Careers
PwC’s Global Economic Crime Survey 2014 Indicates a
Greater Occurrence of Fraud in U.S. Companies
Compared to the Rest of the World
Accounting fraud, bribery and corruption on the rise; cybercrime moves to the forefront of U.S.
companies’ concerns
NEW YORK, February 19, 2014 – More than half of U.S. organizations that experienced fraud in the
last two years reported an increase in the number of occurrences, according to the Global Economic
Crime Survey 2014 released today by PwC US, representing a continuing upward trend in the
occurrence and detection of economic crime. Forty-five percent of organizations in the U.S. suffered
from some type of fraud in the past two years, more than the global average of 37 percent.
U.S. companies are growing their international operations, and the expanding role of the internet and
mobile technology in business can bring risk from beyond their geographic footprint. The survey
revealed that 54 percent of U.S. respondents reported their companies experienced fraud in excess of
$100,000 with eight percent reporting fraud in excess of $5 million.
“Economic crime has become a truly borderless threat,” said Steven Skalak, partner in PwC's Forensic
Services practice and lead editor of the global survey. “The reality of fraud is that it can impact a
company’s revenues as directly as other business and market forces. The risk of bribery and corruption
grows as U.S. organizations increasingly operate in and pursue opportunities in high-risk markets.”
Significant Uptick in Cybercrime
Companies are beginning to change how they think about cybersecurity – viewing it as a business
issue, not just an IT issue. Forty-four percent of U.S. organizations that experienced fraud in the past
24 months suffered from cybercrime; and 44 percent of all U.S. respondents indicated they thought it
was likely their organization would suffer from cybercrime within the next 24 months.
Seventy-one percent of U.S. respondents indicated their perception of the risks of cybercrime
increased over the past 24 months, rising 10 percent from 2011. U.S. respondents’ perception of the
risks of cybercrime exceeded the global average by 23 percent. Despite having more to lose, U.S.
respondents were generally less aware of the cost of cybercrime: 42 percent of U.S. respondents were
unaware of cybercrime’s cost to their organizations, compared to 33 percent of global respondents.
Didier Lavion, PwC principal and lead author of the U.S. report, said, “U.S. corporations need to better
leverage and implement the computational and analytical power of cybersecurity technologies to help
combat the increasing global presence of cybercrime.”
Who is Committing Fraud?
As organizations rely more on technology, they increasingly do business in a “borderless economy”
where they are more susceptible to threats from all sides. The results are clear – while companies
certainly should not lose sight of the internal perpetrator of fraud, they need to remain wary of the
external perpetrator. The external perpetrator of fraud is closing the gap on the internal perpetrator of fraud, with U.S.
organizations reporting that economic crime is committed by external actors (44 percent of the time)
almost as often as it’s committed by internal actors (50 percent of the time).
According to PwC, most internal frauds are now perpetrated by middle management: 54 percent of
internal frauds were committed by middle management, compared to 45 percent in 2011. Both U.S. and global respondents most frequently identified internal fraudsters as male (77 percent
U.S., 77 percent global), 31 to 40 years old (39 percent U.S., 40 percent global), employed between
three and five years (27 percent U.S., 29 percent global) and college graduates (35 percent U.S., 35
percent global).
Fraud Detection
Fraud at U.S. organizations initially detected by external measures or by accident in 2014 more than
doubled from 2011 levels: 32 percent in 2014 compared to 15 percent in 2011, and was initially
detected through external tip-offs more often than any other method. Fraud initially detected by
suspicious transaction reporting plummeted by 19 percent, at 11 percent in 2014 vs. 30 percent in
2011. Eighty-six percent of U.S. organizations have a whistleblower mechanism, according to the
report, compared to only 62 percent of global organizations.
Other Notable Findings
Two types of fraud – accounting fraud, and bribery and corruption – increased in 2014. Accounting
fraud increased to 23% in 2014, as compared to 16% in 2011. Bribery and corruption, at 14 percent in
2014, doubled from 2011 levels (7 percent).
For the first time, PwC specifically asked respondents about procurement fraud. The results were stark
http://www.pwc.com/us/en/press-releases/2014/pwc-gecs-press_release.jhtml[03/27/2014 12:22:41 PM]
PwC Open University
Contacts
Kathryn Oliver
PwC US
Email
PwC’s Global Economic Crime Survey 2014 Indicates a Greater Occurrence of Fraud in U.S. Companies Compared to the Rest of the World
– more than 1/4 of U.S. respondents reported suffering from procurement fraud (27 percent), thus
immediately placing it as the third most frequent type of fraud experienced by U.S. organizations. According to the report, this reflects the increasing interconnectedness of companies and ongoing trend
toward outsourcing more aspects of their businesses. “With more opportunities come more risks; no longer can organizations focus their fraud prevention and
detection strategies on only a few types of fraud, a certain profile of fraudster, or certain perceived
threats. They must be prepared to cast a wider net, for the threats associated with fraud are growing,”
concluded Lavion.
For a full copy of the PwC Global Economic Crime Survey 2014, please visit:
www.pwc.com/us/crimesurvey
NOTES TO EDITORS
The 2014 Global Economic Crime Survey was completed by 5,128 respondents from 95 countries
between August and October 2013. Of the respondents, 50% were senior executives, 35%
represented publicly listed companies, and 54% were from organizations with more than 1,000
employees. There were 115 U.S. respondents; of these, 36% were senior executives, 53%
represented publicly listed companies and 76% were from organizations with more than 1,000
employees.
About PwC US
PwC US helps organizations and individuals create the value they're looking for. We're a member of the
PwC network of firms in 157 countries with more than 184,000 people. We're committed to delivering
quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting
us at www.pwc.com/US. Gain customized access to our insights by downloading our thought leadership
app: PwC's 365™ Advancing business thinking every day.
Learn more about PwC by following us online: @PwC_LLP, YouTube, LinkedIn, Facebook and Google
+.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC
US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US
member firm. Each member firm is a separate legal entity. Please see www.pwc.com/structure for
further details.
###
Press room
Alumni
RSS
Other sites
US offices
Contact us
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network.
Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
Privacy
Legal
Site provider
Site map
http://www.pwc.com/us/en/press-releases/2014/pwc-gecs-press_release.jhtml[03/27/2014 12:22:41 PM]
North Carolina Banking Institute Panel: Responding to a Cybersecurity Breach
Information for the Panelists and Audience
This panel discussion is designed to stimulate the panelists and the audience to develop and
share their insights in a series of security-related events during a breach event in the life of a
fictional banking services company.
•
It will focus on a scenario in which a cybersecurity breach and the subsequent fallout
have impacts on the company’s brand and the confidence of its customers and
shareholders.
•
Panelists will be asked to focus on the consequence management and not delve into the
technical aspects of the breach.
•
The panel will operate on the following assumption: the late 2013 cybersecurity breaches
of companies in the US retail sector that led to the compromise of PII have resulted in an
intensification of public concern about protecting personal information and privacy.
The 90-minute session will be divided into three segments, each corresponding to one month
during a reportable quarter. At the beginning of each of the three “months,” the panel
moderator—PwC Principal Charles Beard—will lay out a series of management assertions being
made about recent developments to the fictional bank’s Board and other key stakeholders. The
panelists will role-play in positions analogous to their real-life jobs: outside counsel, etc. The
moderator will query the panelists about their assessment of the situation as presented by
management. Audience members will have cards for writing down their assessments and
reactions, which will be collected and summarized for the whole session.
The fictional bank is a Delaware-registered company and its stock is listed on the NYSE. The
banks retail operations are limited to US territories and it has participatory agreements with
ATM network providers providing global retail consumer services. The bank acquired a wealth
management advisory business in 2010 and provides settlement services for participating
investment firms.
The scenario begins with the defacement of the company’s public website following remarks by
the CEO at a global economic forum. After an employee writes about the breach in social media,
the public disclosure causes a chain of events involving customers, third-party relationships,
competitors, regulators, law enforcement, and mainstream media.
The scenarios in this exercise are fictional and hypothetical. They do not denote
actual events or PwC’s assessment of the capabilities and responses of any
individual or entity herein.
February 2013
Obama Administration Releases Highly Anticipated
Cybersecurity Executive Order
On February 12, 2013, the Obama Administration released an executive order, Improving Critical
Infrastructure Cybersecurity (the “Executive Order”), which is focused primarily on government actions to
support critical infrastructure owners and operators in protecting their systems and networks from cyber
threats. The Executive Order requires administrative agencies with cybersecurity responsibilities to (1)
share information in the near-term with the private sector within the scope of their current authority and to
develop processes to address cyber risks; and (2) review and report to the President on the sufficiency of
their current cyber authorities. The requirements to review and report to the President likely will serve to
pressure Congress to pass more comprehensive legislation that should, inter alia, address issues that an
executive order cannot, such as the provision of liability protection, incentives for compliance, and
regulatory authority to compel compliance.
The Executive Order likely will impact companies in the following significant ways:
First, based on a Department of Homeland Security-developed process, there will be an increase in
government notification to the private sector of cyber threats and recommended remediation activities.
These notifications will flow from greater government coordination and companies should be prepared to
act on the information they receive to mitigate risk. Additionally, the Department of Homeland Security
(“DHS”) will expand a current program, presently focused on sharing classified cyber threat information
with defense companies, to include a broader group of critical infrastructure companies. This expanded
program will be known as “Enhanced Cybersecurity Services.”
Second, the Executive Order requires the development of risk-based cybersecurity standards,
methodologies, procedures and processes, a so-called “Cybersecurity Framework,” that can be used
voluntarily by critical infrastructure companies to address cyber risks. The Cybersecurity Framework also
may be used by secondary actors (such as insurance companies and auditors) to evaluate these risks.
The Cybersecurity Framework will be developed using a consultative-based model involving an advisory
committee led by the DHS (the Critical Infrastructure Partnership Advisory) and organized by an
infrastructure sector that will include heavy involvement from the private sector. The Executive Order
contemplates that the DHS and other agencies will incentivize companies’ compliance with these
“voluntary” standards in a variety of ways. One example included in the Executive Order is the call for a
review of the federal procurement process to create a preference for vendors who meet the Cybersecurity
Framework standards.
The Executive Order also will steer certain private sector companies to comply voluntarily with the
Cybersecurity Framework by including them on a DHS-created list of “Critical Infrastructure at Greater
Risk.” It directs the DHS to use a risk-based, consultative approach to identify critical infrastructure where
a cybersecurity incident could reasonably have a catastrophic regional or national effect. DHS will notify
companies on the list and provide them with “the basis for the determination” allowing companies to
request reconsideration of their inclusion on the list.
In addition to its impact on the private sector, the Executive Order also directs federal agencies to review
the Cybersecurity Framework and determine the sufficiency of the existing regulatory requirements to
© 2013 Hunton & Williams LLP
1
address current and projected risks. One potential impact of this federal agency review may be to put
Congress on notice of the need for additional legislation.
After yesterday’s issuance of the Executive Order, the Administration’s next steps will include (1)
beginning to work in earnest across government and with the private sector in establishing the
Cybersecurity Framework, (2) increasing cyber threat notifications, and (3) accomplishing the broad
objectives of the Executive Order, including greater protection of our nation’s infrastructure. These efforts
cannot be accomplished without substantial input from the owners and operators of critical infrastructure.
Contacts
Lisa J. Sotto
lsotto@hunton.com
Lawrence J. Bracken II
lbracken@hunton.com
John J. Delionado
jdelionado@hunton.com
Maida O. Lerner
mlerner@hunton.com
Aaron P. Simpson
asimpson@hunton.com
© 2013 Hunton & Williams LLP. Attorney advertising materials. These materials have been prepared for informational
purposes only and are not legal advice. This information is not intended to create an attorney-client or similar relationship.
Please do not send us confidential information. Past successes cannot be an assurance of future success. Whether you need
legal services and which lawyer you select are important decisions that should not be based solely upon these materials.
© 2013 Hunton & Williams LLP
2
February 2013
Obama Signs Presidential Policy Directive on Critical
Infrastructure Security and Resilience
On February 12, 2013, in conjunction with the release of the Executive Order on Improving Critical
Infrastructure Cybersecurity (the Executive Order), President Obama signed a Presidential Policy
Directive/PPD-21 on Critical Infrastructure Security and Resilience. The PPD revokes the 2003
Homeland Security Presidential Directive-7 (issued by President George W. Bush as an initiative under
the former Office of Homeland Security and the Homeland Security Council) to adjust to the new risk
environment and make the nation’s critical infrastructure more resilient. The PPD expands upon the work
that has been accomplished to date for the physical security of critical infrastructure and lays a foundation
for the implementation of the Executive Order to protect critical infrastructure cyber security.
The PPD seeks to accomplish three strategic imperatives spearheaded by the Department of Homeland
Security (DHS) through a collaborative effort with sector-specific government agencies (SSAs), other
government entities, and the owners and operators of the nation’s critical infrastructure.
First, the PPD seeks to “refine and clarify functional relationships across the Federal Government to
advance the national unity of effort to strengthen critical infrastructure security and resilience.” Through
this imperative, the Obama Administration is forcing review of the Critical Infrastructure Partnership
Advisory Council (CIPAC) partnership model in order to identify areas of improvement. While the current
partnership engagement has had some success, many believe that there is a need for a system-wide
improvement to fulfill the new missions established by the PPD and the Executive Order. The PPD will
establish two national critical infrastructure centers operated by DHS, one for physical and the other for
cyber infrastructure. The likely challenge for these centers will be to coordinate the operations and
information exchange between them and with the private sector.
Second, the PPD aims to “enable effective information exchange by identifying baseline data and
systems requirements for the Federal government.” The expressed goal of this imperative is to enable
efficient information exchange and promote greater information sharing between government and the
private sector, consistent with applicable law and policy.
Finally, the PPD directs the government to “implement an integration and analysis function to inform
planning and operations decisions regarding critical infrastructure.” In protecting the homeland, it is
recognized that a necessary government function is to analyze the security of our nation’s critical
infrastructure. Currently, this function is done within DHS National Protection and Programs Directorate
(NPDD). By using the newly established constructs of the PPD, DHS is directed to reinvigorate this
analysis through a heightened focus on four areas: prioritizing assets and managing risks, anticipating
interdependencies and cascading impacts, recommending security and resilience measures, and
supporting incident management and restoration efforts.
Like the Executive Order, the PPD sets tight time lines for government action. Within 120 days, DHS will
need to develop a description of the functional relationships within DHS and across the federal
government related to critical infrastructure security and resilience. This description will serve as a
“roadmap” for the private sector to navigate the government’s functions. Within 150 days, DHS, in
coordination with SSAs and critical infrastructure owners and operators, will need to complete an
© 2013 Hunton & Williams LLP
1
assessment of the existing public-private partnership model and recommend options for improving the
partnership. Within 180 days, DHS, through a similar coordinated effort with SSAs and the private sector,
will need to identify baseline data and systems requirements for the Federal Government to enable
efficient information exchange; and, within 240 days, to develop a situational awareness capability for
critical infrastructure. In addition, DHS is required to update the NIPP within 240 days and complete a
national critical infrastructure security and resilience research and development plan within two years.
These tight time frames, in conjunction with directives contained in the Executive Order, will require
significant effort by DHS.
The PPD recognizes that the success of this effort will be based fundamentally on the level of
engagement of private sector owners and operators of critical infrastructure. The collaborative framework
established both by the Executive Order and the PPD will provide significant opportunities to the private
sector for formal and informal interaction with DHS and other government entities. Industry should be
prepared to provide meaningful and timely comments.
What We Can Do to Help
Hunton & Williams’ homeland security practice can assist companies in developing and understanding
the impact of the Administration’s proposals on cybersecurity and related policies. A review of a
company’s current cybersecurity regulatory footprint may aid in understanding the potential impact. In
addition, we can assist affected companies in working with appropriate members of Congress and agency
officials to ensure that their concerns and risks are understood prior to enactment of the legislation. If you
would like more information on how Hunton & Williams can assist with responding to this and other
issues, please visit our practice pages for Homeland Security, Chemical Facility Security Regulation,
Government Relations and Regulated Markets and Energy Infrastructure, as well as our Privacy and
Information Security Blog for global privacy and information security law updates and analysis.
Contacts
Lisa J. Sotto
lsotto@hunton.com
Lawrence J. Bracken
lbracken@hunton.com
John J. Delionado
MGHOLRQDGR@hunton.com
Maida O. Lerner
mlerner@hunton.com
Aaron P. Simpson
DVLPSVRQ@hunton.com
Mark W. Menezes
mmenezes@hunton.com
© 2013 Hunton & Williams LLP. Attorney advertising materials. These materials have been prepared for informational
purposes only and are not legal advice. This information is not intended to create an attorney-client or similar relationship.
Please do not send us confidential information. Past successes cannot be an assurance of future success. Whether you need
legal services and which lawyer you select are important decisions that should not be based solely upon these materials.
© 2013 Hunton & Williams LLP
2
November 2013
NIST Issues Preliminary Cybersecurity Framework
On October 29, 2013, the National Institute of Standards and Technology (NIST) published its Preliminary
Cybersecurity Framework (Preliminary Framework) in the Federal Register. Issued pursuant to the
President’s February 2013 Executive Order on Improving Critical Infrastructure Cybersecurity, the
Preliminary Framework includes standards, procedures and processes to reduce cyber risks. NIST is
seeking written comment on the Preliminary Framework by December 13, and is expected to publish a
final version in February 2014. As discussed below, although it is a voluntary, nonregulatory protocol, the
Framework will likely become a benchmark against which companies’ cybersecurity practices are
compared.
The Preliminary Framework is organized into five broad functions: Identify, Protect, Detect, Respond and
Recover. Each function has multiple categories, which are more closely tied to programmatic activities.
They include activities such as “Asset Management,” “Access Control” and “Detection Processes.” The
categories, in turn, have subcategories that support technical implementation. Examples of subcategories
include “Asset vulnerabilities are identified and documented” and “Organizational information security
policy is established.” Finally, the Framework includes Informative References, which specify sections of
existing standards and practices that are common among various critical infrastructure sectors and
illustrate methods to accomplish the activities described in each subcategory.
The Preliminary Framework gives companies discretion on how to prioritize different aspects of network
security, what level of security to adopt and which standards, if any, to draw from. It does not include
mandates to adopt a particular standard or practice. However, the Executive Order directs regulatory
agencies to determine if their current cybersecurity regulations are sufficient in light of the Preliminary
Framework, and to take regulatory action within 90 days of the publication of the final Framework in
February 2014. This could lead to revised cybersecurity regulations.
In addition, the administration has stated that it will use incentives and market forces to advance the goals
of the Framework. Pursuant to the Executive Order, the Department of Homeland Security is establishing
a voluntary program to support widespread adoption of the Framework. In connection with that program,
the administration is evaluating eight different types of incentives that could be used to encourage
adoption of the Framework. As described by the White House, the eight areas of incentives are:
•
•
•
•
Cybersecurity insurance — working with industry to build underwriting practices that promote
adoption of Framework standards, and fostering the development of a competitive insurance
market;
Federal grants conditioned on adoption of the Framework;
Process preferences — establishing adoption of the Framework as a criteria for prioritizing
who receives technical government services in nonemergency situations;
Liability limitations (would require congressional action) — reduced liability for entities that
adopt the Framework and participate in the voluntary program, including, for example,
reduced tort liability, limited indemnity, lower burdens of proof or a federal legal privilege that
preempts state disclosure requirements;
© 2013 Hunton & Williams LLP
1
•
•
•
•
Streamlined regulations — ensuring that the Framework interacts in an effective manner with
existing regulatory structures, eliminating overlaps among existing regulations and reducing
audit burdens;
Public recognition for participants in the voluntary program;
Rate recovery for price-regulated industries — allowing utilities to recover for cybersecurity
investments related to adoption of the Framework and participation in the voluntary program;
and
Cybersecurity research in areas where commercial solutions are not currently available.
Various sector-specific agencies are reviewing these incentives to determine which, if any, would be
appropriate for their respective sectors, and inviting industry input as part of that review. Companies may
be well served by some of these incentives if they are incorporated into the government’s program to
encourage adoption of the Framework.
As a result of the incentives, the voluntary program and the cybersecurity regulatory review, the
Framework may significantly influence underwriting standards and create a general benchmark against
which companies’ cybersecurity practices are judged in the event that they become the subject of
litigation. Companies may wish to engage in the policy and regulatory process in order to influence the
content of the Framework, the possible follow-on revision to existing cybersecurity regulations, and the
decision to use incentives to encourage adoption of the Framework.
Companies also should consider measuring their own practices against the Framework by assessing and
updating their corporate governance structure, policies, procedures and regulatory compliance systems
for information security, as well as reviewing and updating internal response plans and procedures for
addressing cyber incidents. Part of that review should include consideration of private-private and publicprivate information sharing programs that are designed to provide industry information security
professionals with current cybersecurity threat information. It should also include an evaluation of
available financial protection, including an analysis of vendor agreements and insurance programs.
Companies may consider obtaining specialized insurance products designed to protect against
cybersecurity risks. With a number of very different insurance products of that type on the market,
however, companies need to study their own cyber risks and existing insurance in order to obtain
appropriate protection.
Lisa J. Sotto
lsotto@hunton.com
Lawrence J. Bracken II
lbracken@hunton.com
Paul M. Tiao
ptiao@hunton.com
John J. Delionado
jdelionado@hunton.com
Lon A. Berk
lberk@hunton.com
Neil K. Gilman
ngilman@hunton.com
Frederick R. Eames
feames@hunton.com
Michael A. Oakes
moakes@hunton,com
Mark W. Menezes
mmenezes@hunton.com
Aaron P. Simpson
asimpson@hunton.com
Walter J. Andrews
wandrews@hunton.com
William T. Um
wum@hunton.com
© 2013 Hunton & Williams LLP. Attorney advertising materials. These materials have been prepared for informational purposes
only and are not legal advice. This information is not intended to create an attorney-client or similar relationship. Please do not send
us confidential information. Past successes cannot be an assurance of future success. Whether you need legal services and which
lawyer you select are important decisions that should not be based solely upon these materials.
2
February 2014
NIST Releases Final Cybersecurity Framework
On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final
Cybersecurity Framework, as required under Section 7 of the Obama Administration’s February 2013
executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Framework,
which includes standards, procedures and processes for reducing cyber risks to critical infrastructure,
reflects changes based on input received during a widely-attended public workshop held last November in
North Carolina and comments submitted with respect to a preliminary version of the Framework that was
issued in October 2013.
Differences between the Framework and its preliminary version generally are editorial, and the
Framework’s basic structure has remained substantially the same. However, in one notable change, the
Framework no longer includes Appendix B, the “Methodology to Protect Privacy and Civil Liberties for a
Cybersecurity Program.” When the Preliminary Framework was released, Appendix B attracted significant
opposition from industry. Among other concerns, critics took issue with its breadth, prescriptive nature
and failure to reflect the standards contained in a wide range of successful privacy and data protection
programs that have been implemented by industry in partnership with various government agencies. The
revised Framework issued today eliminates Appendix B and replaces it with a general description of
privacy issues that entities should consider in the section on “How to Use the Framework.”
Like the preliminary version, the Framework is broadly broken down into three components: (1)
Framework Core, (2) Framework Implementation Tiers and (3) Framework Profile.
The Framework Core is organized into five overarching cybersecurity functions: (1) identify, (2) protect,
(3) detect, (4) respond and (5) recover. Each function has multiple categories, which are more closely tied
to programmatic activities. They include activities such as “Asset Management,” “Access Control” and
“Detection Processes.” The categories, in turn, have subcategories, which are tactical activities that
support technical implementation. Examples of subcategories include “[a]sset vulnerabilities are identified
and documented” and “[o]rganizational information security policy is established.” The Framework Core
includes informative references, which are specific sections of existing standards and practices that are
common among various critical infrastructure sectors and illustrate methods to accomplish the activities
described in each Subcategory.
The Framework Implementation Tiers describe how an organization views cybersecurity risk and the
processes in place to manage that risk. The tiers range from Partial (Tier 1) to Adaptive (Tier 4) and
describe an increasing degree of rigor and sophistication in cybersecurity risk management practice.
Progression to higher tiers is encouraged when such a change would reduce cybersecurity risk and be
cost effective.
The Framework Profile is the alignment of the functions, categories and subcategories with the
organization’s business requirements, risk tolerance and resources. An organization may develop a
current profile based on existing practices and a target profile that reflects a desired set of cybersecurity
activities. A comparison of the two profiles may reveal gaps that establish a roadmap for reducing
cybersecurity risk that is aligned with organizational and sector goals, considers legal and regulatory
requirements and industry best practices, and reflects risk management priorities.
© 2014 Hunton & Williams LLP
1
The Framework is a flexible document that gives users the discretion to decide which aspects of network
security to prioritize, what level of security to adopt, and which standards, if any, to apply. This flexibility
reflects vocal opposition by critical infrastructure owners and operators to new cybersecurity regulations.
The White House has emphasized repeatedly that the Framework itself does not include any mandates to
adopt a particular standard or practice. However, Section 10 of the Executive Order directs sector-specific
agencies to engage in a consultative process with the Department of Homeland Security, the Office of
Management and Budget, and the National Security Staff to review the Framework and determine if
current cybersecurity regulatory requirements are sufficient given current and projected risks. If such
agencies deem the current regulatory requirements to be insufficient, then they “shall propose prioritized,
risk-based, efficient, and coordinated actions...” This process could lead to new cybersecurity regulations
in various sectors.
This regulatory review, in conjunction with the Framework being used by insurance underwriters and
incentives the Administration is developing to encourage adoption of the Framework, likely will result in
the Framework affecting standards of reasonableness in litigation relating to cybersecurity incidents.
Contacts
Lisa J. Sotto
lsotto@hunton.com
Neil K. Gilman
ngilman@hunton.com
Paul M. Tiao
ptiao@hunton.com
Mark W. Menezes
mmenezes@hunton.com
Lon A. Berk
lberk@hunton.com
Michael A. Oakes
moakes@hunton.com
Lawrence J. Bracken II
lbracken@hunton.com
Aaron P. Simpson
asimpson@hunton.com
John J. Delionado
jdelionado@hunton.com
William T. Um
wum@hunton.com
Frederick R. Eames
feames@hunton.com
© 2014 Hunton & Williams LLP. Attorney advertising materials. These materials have been prepared for informational purposes
only and are not legal advice. This information is not intended to create an attorney-client or similar relationship. Please do not send
us confidential information. Past successes cannot be an assurance of future success. Whether you need legal services and which
lawyer you select are important decisions that should not be based solely upon these materials.
2
PRIVACY & SECURITY LAW REPORT
A How-To Guide to Information Security Breaches
BY LISA J. SOTTO AND AARON P. SIMPSON
Since 2005, there have been reports of over 500 U.S. security breaches. Proactive
incident response planning can help minimize the impact when and if a breach occurs. The
authors provide advice on responding to and managing a data breach, including information on
state law variations, relevant stakeholders, and tips on actual notification.
Contrary to what the headlines suggest, information security breaches are not a new
phenomena. What is new is that we are hearing about them in record numbers. While
consumers are newly focused on information security due to the emergence of e-commerce, the
reason security breaches now seem ubiquitous is a result of the development of a body of state
laws requiring companies to notify affected individuals in the event of a breach. The differing
requirements of over 35 state security breach notification laws make legal compliance a
challenge for organizations operating on a national level.
Background
Since 2005, there have been reports of over 500 security breaches, many of which have
involved the most respected organizations in the United States.1 In fact, the number of reported
incidents does not begin to define the actual number of breaches that have occurred in the United
States during the past two years. From universities to government agencies to Fortune 500
companies, no industry sector has been spared. These breaches have run the gamut from lost
backup tapes and laptops, to hacking incidents, to organized crime. The reported breaches are
estimated to have exposed personal information contained in over 100 million records.
Consequently, a significant percentage of the American public has received notification that the
security of their personal information has been breached. Indeed, it seems that hardly a day goes
by without a new press report of a significant security breach.
State Security Breach Notification Laws
Public awareness was not focused in earnest on security breaches until 2005, fully two
years after California enacted a law requiring organizations to notify affected Californians of a
security breach.2 At the time of enactment, few understood the enormous implications of that
law. Since 2005, 35 other states, as well as New York City, Washington, D.C. and Puerto Rico,
have jumped on the bandwagon and enacted breach notification laws of their own. In addition,
numerous federal security breach bills have been proposed. With no clear frontrunner, it is hard
to predict when a federal law might be passed, thought a federal preemptive law appears likely.
1
See Privacy Rights Clearinghouse, “A Chronology of Data Breaches,”
http://www.privacyrights.org/ar/ChronDataBreaches.htm (last visited March 27, 2007).
2
Cal. Civ. Code § 1798.82 (2006).
available
at
________________________________________
Lisa Sotto heads the Privacy and Information Management Practice at Hunton & Williams LLP and is a
partner in the New York office. She is also vice chairperson of the DHS Data Privacy and Integrity
Advisory Committee. Sotto may be contacted at lsotto@hunton.com. Aaron P. Simpson is an associate in
the Pri¬vacy and Information Management Practice at Hunton & Williams, New York. He may be
contacted at asimpson@hunton.com.
PRIVACY & SECURITY LAW REPORT
At the state level, the duty to notify individuals affected by a breach generally arises
when there is a reasonable belief that unencrypted, computerized sensitive personal information
has been acquired or accessed by an unauthorized person. Typically, the state laws define
“personal information” to include an individual’s first name or first initial and last name,
combined with one of the three following data elements:
•
Social Security number;
•
driver’s license or state identification card number; or
•
financial account, credit or debit card number, along with a required password or
access code.
Unfortunately, entities struggling with a potential breach must look beyond the language
of the “typical” state law in the event of a national, or even multi-state, incident. The variations
among state breach notification laws greatly complicates the legal analysis as to whether the
breach laws are triggered with respect to a particular event. Because most breaches impact
individuals in multiple jurisdictions, companies often must take a “highest common
denominator” approach to achieve legal compliance.
Key areas of variation among state breach notification laws include:
2
•
Affected Media: Under most state breach laws, notification is required only if
“computerized” data has been accessed or acquired by an unauthorized individual. In
some states, however, including North Carolina, Hawaii, Indiana and Wisconsin,
organizations that suffer breaches involving paper records are required to notify
affected individuals.
•
Definition of “Personal Information”: Breach notification laws in some states
expand the definition of personal information to include data elements such as
medical information (Arkansas, Puerto Rico), biometric data (Nebraska, North
Carolina, Wisconsin), digital signatures (North Carolina, North Dakota), date of birth
(North Dakota), employee identification number (North Dakota), mother’s maiden
name (North Dakota), and tribal identification card numbers (Wyoming).
•
Notification to State Agencies: Many states require entities that have suffered a
breach to notify state agencies. Currently, the states that require such notification
include Hawaii, Maine, New Hampshire, New Jersey, New York, North Carolina and
Puerto Rico. In Puerto Rico, organizations must notify the state government within
ten days of detecting a breach. In New Jersey, the breach notification law requires
entities to notify the state police prior to notifying affected individuals.
•
Notification to Credit Reporting Agencies: While the threshold for notification
differs among the state laws, many states require organizations that suffer a breach to
notify the three national consumer reporting agencies (Equifax, Experian and
Transunion). Among the states with this requirement, the state with the lowest
PRIVACY & SECURITY LAW REPORT
threshold requires notification to the credit reporting agencies in the event 500 state
residents must be notified in accordance with the notification requirement.
•
Timing of Notification to Affected Individuals: Most state notification laws require
notification to affected individuals within “the most expedient time possible and
without unreasonable delay.” Some states, such as Ohio, Florida and Wisconsin,
require notification within 45 days of discovering the breach.
•
Harm Threshold: Some states (e.g., Indiana, Michigan, Ohio, Rhode Island, Utah and
Wisconsin) require notification of affected individuals only if there is a reasonable
possibility of identity theft. Other states (e.g., Colorado, Idaho, Kansas, Maine, New
Hampshire, New Jersey and Vermont) do not require notification unless it has been
determined that misuse of the information has occurred or is reasonably likely to
occur. And in other states (e.g., Arkansas, Florida, Hawaii and Louisiana)
notification is not required unless there is a reasonable likelihood of harm to
customers. For organizations that suffer multi-state security breaches, any harm
threshold is irrelevant as a practical matter because many state breach notification
laws do not contain such a threshold.
Federal Enforcement
In addition to the compliance maze at the state level, the Federal Trade Commission
(FTC) has enforcement authority in the privacy arena pursuant to Section 5 of the FTC Act.3
Section 5 of the FTC Act prohibits unfair or deceptive trade practices. The FTC recently has
brought a number of enforcement actions pursuant to Section 5 stemming from security
breaches. In fact, most of the enforcement actions brought by the FTC in the privacy arena have
resulted from security issues. Some of the more noteworthy FTC enforcement actions stemming
from security breaches have included those against BJ’s Wholesale Club, CardSystems, ChoicePoint and DSW.
The CardSystems case highlights the significant reputational risk associated with privacy
events generally, and security breaches in particular. In this case, over 40 million credit and
debit card holders’ information was accessed by hackers leading to millions of dollars in
fraudulent purchases. In its enforcement action, the FTC alleged that the company’s failure to
take appropriate action to protect personal information about millions of consumers was
tantamount to an unfair trade practice. As part of its settlement with the FTC, CardSystems
agreed to implement a comprehensive information security program and conduct audits of the
program biennially for 20 years. The real punishment, however, was the reputational damage
the company suffered in the wake of the breach. Both Visa and Discover severed their
relationship with CardSystems and the company ultimately was sold to an electronic payment
company in Silicon Valley. As our society becomes increasingly information-dependent, it is
likely that there will be an increase in FTC enforcement associated with security breaches. In
fact, in response to heightened consumer concern and an increased need for regulatory oversight
in this arena, the FTC recently established a new division of Privacy and Identity Protection.
3
3
15 U.S.C. § 45 (2005).
PRIVACY & SECURITY LAW REPORT
This signals a new FTC focus on data privacy and security, along with what will likely be a
concomitant increase in enforcement.
Managing a Data Breach
If a possible breach occurs, it is critical to determine as quickly as possible whether the
event triggers a requirement to notify affected individuals. To make this determination,
organizations must be able to answer the following questions:
1.
What information was involved? Does the compromised information meet the
definition of “personal information” under any of the state breach notification
laws? As discussed above, certain states have adopted expansive definitions of
“personal information” for purposes of their breach notification laws. These
broader definitions must be considered in analyzing the information involved in
the event.
2.
Was the information computerized? In most states, only incidents involving
computerized information require individual notification. But special attention
should be paid to the laws in those states in which notification is required for
incidents involving personal information in any form, including paper.
3.
Was the information encrypted? Encryption is available as a safe harbor under
every extant state security breach notification law. Importantly, all of the relevant
laws are technology-neutral, meaning they do not prescribe specific encryption
technology. If the information is maintained in an unreadable format, then it may
be considered encrypted for purposes of the state breach laws. Encryption does
not, however, include password-protection on equipment such as desktop
computers, laptop computers and portable storage devices. As a result, many
organizations have been required to notify affected individuals when laptop
computers subject to password-protection have been lost or stolen.
4.
Is there a reasonable belief that personal information was accessed or acquired
by an unauthorized person? If an entity has a reasonable belief that the
information was compromised by an unauthorized person, notification is required.
Note that a number of state breach notification laws contain a harm threshold
whereby notification is not required unless there is reasonable possibility of harm,
misuse or identity theft (see above). Organizations should be wary of relying on
harm thresholds, however, because they are not included in many state breach
laws and thus may not be available in the event of a multi-state breach.
Because breaches come in all shapes and sizes, many of them require significant
technical analysis to answer these questions. Organizations often must enlist the assistance of
highly skilled forensic investigators to assist with the evaluation of their systems.
4
PRIVACY & SECURITY LAW REPORT
Recognize the Stakeholders
Once an organization has determined that the breach notification laws have been
triggered, it is important to understand the panoply of stakeholders throughout the breach
process. Depending on the type of organization involved, the potential universe of stakeholders
is extensive and may include:
5
•
Affected individuals: Individuals affected by a security breach are the primary focus
for every organization during the notification process. Although the breach may not
have occurred as a result of any misdeeds by the organization suffering the breach, in
the eyes of consumers, employees and other affected individuals, the organization is
responsible for the data it collects and maintains. As a result, regardless of the
circumstances, an organization suffering a security breach should be appropriately
helpful and respectful to individuals whose data may have been compromised.
•
Board of Directors/Senior Management: Information security is no longer an area of
a company that is relegated to the dusty basement. Front-page headlines and stock
drops stemming from early security breaches made sure of that. It is often advisable
to involve the Board of Directors (or its equivalent) and senior management soon
after learning of a security breach affecting the organization.
•
Law Enforcement: Depending on the nature of the event, it may be important to
report the security breach to law enforcement authorities for purposes of conducting
an investigation. The state security breach laws allow organizations to delay
notifying affected individuals pending a law enforcement investigation. New Jersey’s
breach notification law makes it a legal requirement to notify law enforcement prior
to notifying affected individuals.
•
State and Federal Regulators: In addition to the laws’ requirements to notify state
regulators, organizations should give serious consideration to notifying the FTC in the
event of a significant security breach. Proactively notifying the FTC, while not a
legal requirement, provides an organization with the opportunity to frame the
circumstances of the breach and provide appropriate context. Because the FTC will
undoubtedly learn about every significant security breach, organizations are welladvised to tell the story themselves rather than have the FTC learn about the breach
from unfavorable media reports.
•
Financial Markets: For publicly-traded companies, some security breaches rise to the
level of reportable events. In these cases, it may be necessary to notify the Securities
and Exchange Commission and the relevant exchange of the breach.
•
Payment Card Issuers: To the extent payment cards are involved, it is often essential
to consult the card issuers as early as possible in the process. Organizations should
review their contractual obligations with the card issuers because there are likely to
be provisions relevant to a security breach. In addition, the card issuers may require
organizations suffering breaches to file formal incident reports. Depending on the
PRIVACY & SECURITY LAW REPORT
scope of the breach, the card issuers also may require that an independent audit be
conducted by their own auditors.
•
Employees: In some cases, employees of the organization should be notified of an
incident affecting customers. Many employees care deeply about the entity for which
they work. To the extent the organization’s reputation may be tarnished by the event,
employees will not want to be left in the dark about the incident.
•
Shareholders: Public companies that suffer breaches must consider their shareholders
in the aftermath of a breach. The investor relations department should be mobilized
in the event of a significant breach to respond to investors’ concerns.
•
Auditors: In some cases, security breaches may need to be reported to a company’s
auditors.
•
Public: Security breaches often ignite the passions of the public at-large. In
managing the process of notification, organizations should give careful consideration
to the anticipated public response to the incident. In many cases, it is helpful to work
with experienced public relations consultants. The risk to an organization’s
reputation stemming from a security breach far exceeds the risk associated with legal
compliance. Thus, it is imperative in responding to a security breach to consider
measures that will mitigate the harm to an organization’s reputation.
Timing of Notification
Once the extent and scope of the incident have been defined and it is determined that
notification is required, the next step is to notify affected individuals. Most state security breach
laws require organizations that suffer a breach to notify affected individuals “in the most
expedient time possible and without unreasonable delay.” In several states, notification is
required within 45 days of the date the incident was discovered. Under both timeframes, the date
of actual notification may be delayed by the exceptions available in most states for law
enforcement investigations and restoring system security.
Pursuant to the law enforcement exception, notification may be delayed if a law
enforcement agency determines that notification would impede a criminal investigation. Thus, if
law enforcement has requested such a delay, the clock does not start ticking on notification until
after the agency determines that notification will not compromise the investigation.
As to the exception for restoring system security, notification to affected individuals may
be delayed to provide the affected organization time to take any security measures that are
necessary to determine the scope of the breach and to restore the “reasonable integrity of the
system.” Organizations should not take this exception lightly—notification to consumers of a
system vulnerability may tip off copycat fraudsters to a system weakness they can exploit. Thus,
prior to notifying affected individuals, it is essential for organizations suffering security breaches
to restore the integrity of their systems.
6
PRIVACY & SECURITY LAW REPORT
Entities that rely on either the law enforcement or system security exception should
document such reliance. In Hawaii, such documentation is a legal requirement.
Notification to Individuals
Letters to individuals notifying them of a possible compromise of their personal
information should be simple, free of jargon and written in plain English. Entities would be
well-advised to avoid legalistic phrases and any attempt to pin blame elsewhere. Organizations
that have been most favorably reviewed by individuals following a breach are those that have
accepted responsibility and provided useful information to recipients. (A breach notification
letter is not the place for marketing!)
Organizations should keep in mind that, in addition to impacted individuals, the
notification letter will likely be scrutinized by numerous interested parties, including regulators,
plaintiffs’ lawyers and the media. As a result, it is essential to strike the appropriate tone while
at the same time providing a meaningful amount of substance.
There is a growing de facto standard, depending on the information breached, for the
types of “offerings” companies are making to affected individuals in their notice letters. These
offerings typically include:
•
Credit Monitoring: In the event a Social Security number or some other form of
identification that may contain a Social Security number (such as a driver’s license
number or a military identification card number) has been compromised, it has become standard to offer affected individuals one year of credit monitoring services.
Depending on the size of the breach, this can be a significant cost for companies.
•
Free Credit Report: Separate and apart from credit monitoring, organizations should
inform affected U.S. individuals that they are entitled to one free credit report
annually from each of the three national credit reporting agencies.
•
Fraud Alert: Organizations also may want to recommend that affected individuals
place a fraud alert on their credit file for additional protection. There is no charge for
this service. Because fraud alerts can have a significant impact on a consumer’s dayto-day purchase habits, most organizations simply suggest to consumers that this is an
option rather than insist they take such action.
In addition to the standard offerings, the letter should describe the details of the security
breach. For obvious reasons, these details should never include the specific affected payment
card or Social Security numbers impacted by the breach. Instead of providing this detail, it is
most effective to explain what happened and what the organization is doing to help individuals
affected by the breach. In many cases, this means providing the individual with information
about credit monitoring and other information about how they may protect themselves. Also, it
may be necessary to establish a call center (with trained agents) to handle consumer response to
the incident.
7
PRIVACY & SECURITY LAW REPORT
As a general rule, if an organization is required to notify in a few jurisdictions, it is
recommended that it notify in all jurisdictions (often this includes foreign countries). With few
exceptions, this has become standard in the privacy realm. A few companies that suffered early
security breaches after California passed its law were torched by the media and subjected to
severe criticism by irate state attorneys general for notifying affected Californians but not
affected residents of other states without breach notification laws. The collective experience of
these companies highlights an important, but often misunderstood, concept: technical
compliance with law is necessary but not sufficient in the privacy arena. Privacy events are hot
button social issues that often transcend mere legal compliance. Indeed, the risk to an
organization’s reputation and revenues often far exceeds the risk associated with non-compliance
with breach laws. As a result, organizations responding to a breach should focus on doing the
right thing as opposed to doing only those things that are required by law.
Lessons Learned
Security breach notification laws have brought information security issues into the
spotlight. While no information security is perfect, proactive incident response planning can
help minimize the impact when and if a breach occurs. Such planning includes inventorying the
entity’s databases that contain sensitive personal information, understanding how sensitive
personal information flows through the organization, conducting ongoing risk assessments for
internal and external risk to the data and responding to reasonably foreseeable risks, maintaining
a comprehensive written information security program, and developing a breach response
procedure. Given that a recent survey of 31 breaches ranging in size from 2,500 records to
263,000 records conducted by the Ponemon Institute found that the average cost of responding to
a security breach was $182 per lost customer record with an average total cost of $4.8 million,
the stakes are higher than ever for companies to focus on their information security programs.4
Most importantly, concern and respect for information security should be integrated into the
organization’s core values. A breach response plan alone, without demonstrable organizational
concern for information security generally, exposes the organization to significant risk. With the
stakes as high as they are, all organizations should be taking a closer look at their information
security practices.
Reproduced with permission from Privacy & Security Law Report, Vol. 6, No. 14, 04/02/2007, pp. 559562. Copyright © 2007 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
4
See Ponemon Institute, “2006 Annual Study: Cost of a Data Breach” (October 2006).
8
99900.10450 EMF_US 30487553v1
Vanessa Lloyd, Corporate Counsel Marketing Manager, LexisNexis
Contributing editor: Tom Hagy, HB Litigation Conferences LLC, former VP LexisNexis and
Publisher of Mealey’s™ Litigation Reports
LexisNexis for Corporate Counsel
New Cyber Guidance on the Horizon—Be Prepared
BY ART EHUAN, ALVAREZ & MARSHAL and LISA J. SOTTO, HUNTON & WILLIAMS LLP
In February 2013, following the failure of legislative initiatives and in response to increasingly
sophisticated and ever-growing cyber threats directed at businesses and government agencies from
hackers, hacktivists, organized crime groups, terrorist organizations and nation-states, President
Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.” The
Executive Order has several key components: (1) it requires government agencies to share cyber
threat information with the private sector, (2) it contains a mandate to consider impacts on privacy
and civil liberties, and (3) most importantly, it contains a requirement to develop a Cybersecurity
Framework for critical infrastructure.
Section 7 of the Executive Order directs the Department of Commerce, specifically the National
Institute of Standards and Technology (NIST), to develop a baseline Cybersecurity Framework to
reduce cyber risks to critical infrastructure. Development of the Cybersecurity Framework was to be
a collaborative effort between the government and the public. Since the issuance of the Executive
Order, NIST has held four public meetings to discuss and collaborate on the proposed Cybersecurity
Framework.
The fourth and last meeting was held in September 2013, and the official draft of the
Cybersecurity Framework was just released for public comment. As directed by the Executive Order,
on or about February 2014, NIST will release the final Cybersecurity Framework. With the release of
the official draft, the government is one step closer to finalizing what will become a framework of
best practices in securing the IT systems of critical infrastructure.
The intent of Section 7 of the Executive Order is to provide organizations that lack a risk
management process, or those that have an immature or less developed risk management process,
with a Cybersecurity Framework as a model for their business.
Source: Lexis Nexis's Corporate Counsel Newsletter
The Preliminary Framework Consists of Three Parts
First, there is the Framework “core,” which lists cybersecurity activities companies typically
undertake and also lists references to various information sources. The “core” consists of five
functions—identify, protect, detect, respond and recover. The second part is the “framework profile,”
which provides guidance on how to integrate the core functions within a cybersecurity risk strategy
or roadmap. The framework profile is used to determine the current state of risk management
versus the desired state for the organization. The third part is called the “implementation tiers,” and
this part is intended to indicate how cyber risk is managed within an organization. The tiers range
from zero to three, with three indicating the most effective level of protection.
Five Functions Comprise the Framework Core
The Framework Core (which is subject to change based on public comments) provides four
individual elements, described as Functions, Categories, Sub-Categories and Informative
References.
The Functions matrix provides the overall model and structure for organizing cybersecurity
efforts in an organization. There are five Functions. They consist of:
Identify function, which is used to define the organization’s assets, business partners and
other areas that need to be protecte
•
Protect function, which is used to define the appropriate security safeguards and controls to
protect the organization
•
•
Detect function, which is used to define how the organization will detect cyber threats
•
Respond function, which is used to define how the organization will react to a cyber event or
incident
Recover function, which is used to define how the organization will conduct its continuity
operations in the event of a cyber event or incident
•
Categories are high-level cybersecurity activities within a Function that an organization must
undertake for protection.
Sub-Categories are sub-divisions of the various Categories and provide detailed requirements
for implementation.
The Informative Reference portion lists the individual policies and procedures (such as ISO
27001/2-2005, COBIT and NIST standards) that an organization utilizes to meet the Sub-Category
requirement.
Source: Lexis Nexis's Corporate Counsel Newsletter
Example of the Framework Core with applicable Function, Category, Sub-Category and
Informative References:
As the example indicates, the Cybersecurity Framework incorporates the existing information
protection standards that an organization currently may be using. Accordingly, an organization that
uses ISO 27001/2-2005 or another information security standard can plug the individual components
into the Cybersecurity Framework, thus eliminating the need to reinvent the wheel. Organizations
that do not have a framework in place can use the Cybersecurity Framework as the model for
building their framework with standards that are appropriate for their industry, such as the North
American Electric Reliability Corporation (NERC) Standards for Critical Infrastructure Protection
(CIP) for the electric industry.
Understanding Your Cybersecurity Profile
To implement an effective cybersecurity framework, an organization must understand its current
security profile. A Current Profile will establish an existing baseline of how an organization currently
is protecting its assets. Once the Current Profile has been determined, an organization can then
create a Target Profile. The Target Profile is the cybersecurity state the organization is striving to
achieve for optimal protection of its assets. The difference between the Current Profile and Target
Profile forms the gap that will need to be addressed by the organization’s management.
Source: Lexis Nexis's Corporate Counsel Newsletter
Example of the Cybersecurity Current Profile, Target Profile and Gap Identification:
It's Good to be a 4
As indicated above, the Cybersecurity Framework also provides tiers to assist in determining how
the model has been implemented by an organization. The tiers are described as:
Tier 1: Partial—An organization has not defined or implemented a risk management process for
cybersecurity.
Tier 2: Risk Informed—An organization has implemented a risk management process for
cybersecurity but it is not fully mature.
Tier 3: Risk-Informed and Repeatable—An organization has a defined risk management
process and the flexibility to respond to changes based on cyber security threats.
Tier 4: Adaptive—An organization that has reached a high level of maturity is dynamic and
anticipates cyber threats with appropriate responses.
Source: Lexis Nexis's Corporate Counsel Newsletter
A Voluntary Program?
The Cybersecurity Framework is intended to provide a voluntary program for owners and
operators of critical infrastructure. While voluntary, however, the Executive Order called for federal
agencies to consider changes to the Federal Acquisition Regulations to encourage adoption of the
Framework, and requires agencies to report on the extent to which the private sector is complying. In
addition, the Executive Order directs agencies to determine whether current regulatory requirements
are sufficient, and to report on whether they have authority to establish cybersecurity requirements
and, if not, to propose what legislation might be needed. Federal agencies currently are reviewing
the boundaries of their authority as regulators to determine how to press the Framework on private
sector entities within their purview. On September 18, 2013, Thomas J. Curry, the Comptroller of the
Currency, stated: “In my capacity as chairman of the Federal Financial Institutions Examination
Council, which brings together all of the bank regulatory agencies, I called for the creation of a
working group on cybersecurity issues to be housed under the FFIEC’s task force on
supervision.The Cybersecurity and Critical Infrastructure Working Group was launched in June, and
its members are already meeting with intelligence, law enforcement and homeland security officials.
They are going to be considering how best to implement appropriate aspects of the
President’s Executive Order on Cybersecurity, as well as how to address the recommendations
of the Financial Stability Oversight Council.”
Last summer, the White House announced recommendations on incentives that could be used to
encourage owners and operators of critical infrastructure to comply with the Framework. The key
incentives involve insurance incentives, adoption of the Framework as a condition for federal grants
and the possibility of limited liability for companies that adopt the Framework.
The term “critical infrastructure” is defined by Presidential Policy Directive (PPD) 21 as those
“assets, networks, and systems—that are vital to public confidence and the Nation’s safety,
prosperity and well-being.” PPD-21 identifies 16 sectors as being part of the critical infrastructure:
Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial
Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government
Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Material and
Waste; Transportation Systems; Water and Wastewater Systems.
No Need to Wait
There are numerous steps owners and operators of critical infrastructure can take in anticipation
of the issuance of the final Cybersecurity Framework in February 2014. They include:
Identifying a point-person to become familiar with the Cybersecurity Framework and its
components;
•
Source: Lexis Nexis's Corporate Counsel Newsletter
•
identifying the organization’s risk approach based on function, assets and regulatory
requirements;
•
determining the Current Profile of the organization’s existing cyber security posture;
reviewing policies, procedures and controls, and determining how they would fit into the
Cybersecurity Framework
•
•
identifying a Target Profile as the goal for the organization;
corganizing a working group with robust management participation that will review the results
of the gap analysis and the analysis of existing policies and procedures to determine next steps; and
•
•
making informed changes based on risk, resources and regulatory requirements.
The continuing onslaught of cyber attacks against organizations requires a dedicated effort by
businesses to protect their information assets. The Cybersecurity Framework should be viewed as a
tool that can assist in securing the infrastructure of an organization. It provides an opportunity for
management and staff to work together to define the cyber threats to an organization, and to
determine appropriate controls to protect the entity. Organizations would be well advised to closely
monitor this quickly evolving legal environment.
Art Ehuan is a managing director with Alvarez & Marsal’s Global Forensic and Dispute Services
in San Antonio, Texas. He is a strategic information security specialist with more than 20 years of
experience working with U.S. and international clients and governments.
Lisa J. Sotto is the chair of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice
and is the managing partner of the firm’s New York office.
Disclaimer: The views and opinions expressed in this article are those of the individual sources
referenced and do not reflect the views, opinions or policies of the organizations the sources
represent.
Source: Lexis Nexis's Corporate Counsel Newsletter
Related documents
Lisa, Sotto - Cyber Policy and Legal Environment
Lisa, Sotto - Cyber Policy and Legal Environment
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
The legal obligations for leaders - Marta Tomlinson
The legal obligations for leaders - Marta Tomlinson
Chap 9
Chap 9
Download