“Uncertainty and expectation are the joys of life.” An English playwright and poet offered this observation over 300 years ago, but it applies equally well to data security issues we will face in 2014. With concern about cyber security at an all-time high, enterprises of all sizes are naturally anxious about what may come next. Given such widespread uncertainty, government at all levels will get involved in an effort to “solve” perceived problems. Consequently, data security and related privacy issues will be the focus for 2014, and beyond.
The SEC Will Spotlight Corporate Cyber Risks
The U.S. Securities and Exchange Commission announced that it will include cyber security in its 2014 national examination priorities. According to the SEC, its staff will for the first time focus on “information leakage and cyber security.” It’s about time because a lot of public companies have been experiencing “information leakage,” but have not been so forthcoming in disclosing these events to the public.
Several recent reports have alluded to the fact that many Fortune 1000 companies are not complying with disclosure obligations relating to cyber risks and related incidents. Take Neiman Marcus, for example, where hackers penetrated its computer network as early as July 2013, but the company did not publicly disclose the incident (and related theft of customer data) until January 2014. Neiman Marcus claimed it had no knowledge of the breach until mid-December 2013.
Maybe. Maybe not. We may never know. But the hope is that with the SEC now shining a spotlight on “information leakage,” it may provide an impetus for companies to examine closely their cyber security risks, including whether they are “material” and should therefore be disclosed.
NIST Publishes The Final (Or Should I say, Version 1.0) Cybersecurity Framework Has Been Published
Pursuant to Executive Order No. 13636, NIST delivered the “final” version of its Framework for Improving Critical Infrastructure Cybersecurity. I put the word “final” in quotes because that is what NIST promised after having previously floating several working drafts. But in this latest draft, NIST officials chose not to describe it as “final,” but rather more of a work in progress: “The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation.” Consistent with this message, NIST labeled the latest draft as “Version 1.0.”
Some have criticized the Framework as being too vague and overly complicated to be of much value. MFT Nation agrees with these criticisms, as expressed in a previous post.
Others say the Framework offers a risk management road map that organizations can use to better evaluate business risk in relation to data security solutions and practices. I’m skeptical, but certainly hope the Framework achieves this objective. In my experience, most IT departments know the data security risks and can devise solutions. But all too often the recommendations from IT either fall on deaf ears or are rejected because organizations fail to appreciate the need to devote resources to protecting data flows.
The Framework strongly encourages companies in the financial services and other industries to implement its “voluntary” standards. Even if you’re not encouraged to comply “voluntarily,” you may be effectively pushed in that direction. Those that do implement the Framework guidelines may, in turn, require their service providers (and prospective service providers) to comply with the Framework as a condition of doing business.
So whether you like it or not, you better take the time to become familiar with the Framework.
The Feds May Require Framework Compliance For Those With Whom It Does Business
The GSA and Department of Defense recently published joint recommendations on “what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” In other words, the Fed procurement folks are considering ways it can help to ensure better data security through its acquisition activities. Among other things, the recommendations suggest “purchasing products and services that have appropriate cybersecurity designed and built in.” So if you are doing business with the Feds, you better get your cybersecurity house in order, so to speak.
In later posts, we will explore data security trends at the state, local and international levels. But for now, please remember that it can be difficult to determine the appropriate amount of data security measures to deploy. You don’t want to install too little, because as an English proverb advises: “It is folly to bolt a door with a boiled carrot.” But one also has to consider cost, and as an American scholar once said: “Security depends not so much upon how much you have, as upon how much you can do without.” Clearly, it’s a balancing act, so let us help. Contact our data security experts at firstname.lastname@example.org.