In this episode of Digital Detectives, hosts Sharon Nelson and John Simek speak with Denver Edwards about cybersecurity. In their discussion, they address the National Institute of Standards and Technology’s (NIST) cybersecurity framework and how it relates to the FTC’s work. They also talk about how a company can use the NIST framework along with FTC guidance in order to minimize security risks. They conclude the episode with predictions regarding how the Trump Administration will handle cybersecurity.
Denver Edwards is a principal at Bressler, Amery & Ross, P.C. in New York and works in the firm’s securities department.
Special thanks to our sponsors, PInow and SiteLock.
Cybersecurity 2.0: Creating Order from the Regulatory Landscape to Build a Strategic Advantage
Laurence Colletti: Hello listeners, it’s Laurence Colletti, Executive Producer of Legal Talk Network. I want to tell you about one of our longest-running and most informative shows, The Digital Edge. Each month our expert hosts Sharon Nelson and Jim Calloway, talk with renowned authors, speakers and legal technology gurus about tools, tips and tricks for running a successful legal practice. If you’re seeking a competitive advantage for your firm, make sure to catch The Digital Edge on our website at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com, in Apple podcasts or on your favorite podcasting app; and now, onto the show.
Intro: Welcome to Digital Detectives. Reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 81st edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is Cybersecurity 2.0: Creating Order from the Regulatory Landscape to Build a Strategic Advantage.
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com”pinow.com to learn more.
John W. Simek: We are delighted to welcome as today’s guest, Denver Edwards. Denver is a Principal at Bressler, Amery & Ross, P.C. in New York. He practices in the firm’s Securities Department and helps clients navigate regulatory investigations before state and federal agencies, cybersecurity, securities arbitration, and litigation. He has a broad skill set having previously worked for two federal regulators the SEC and OCC, Goldman Sachs, Toyota, and large law firms.
Thanks for being with us today, Denver.
Denver Edwards: Thanks for having me.
Sharon D. Nelson: Well, Denver, the Federal Trade Commission has been the most active regulator and it appears to rely on the NIST Cybersecurity framework. NIST being the National Institute of Standards and Technology. Can you explain the NIST framework a little bit and how the framework relates to the FTC’s work on data security?
Denver Edwards: Sure, the framework is really a risk-based approach to managing cybersecurity risk and it has three parts. There’s a framework core, there is implementation tiers, and there is a framework profile. I’m going to focus primarily on the framework core, because that’s what people typically focus on. So there are five concurrent and continuous functions in the framework core.
The first function is Identification, and that requires developing and implementing policies and procedures to understand a company’s cybersecurity risk; next, there is the Protection function which focuses on developing cybersecurity safeguards; the third function is Protection, which concerned itself with implementing processes to detect cybersecurity incidents in real-time. The fourth is to Respond to a cybersecurity incident, and the fifth is to Recover after a cybersecurity incident has occurred.
Now that’s just a shell of what the framework calls for, and within those functions there are categories. I’m not going to go through each and every category, but for example, the Identification function would focus on things like risk assessment, the Protection function would focus on things like access control and protective technology, and for each of those subcategories you’d need to develop policies and procedures to sort of flesh out what your practices are for cybersecurity or risk management.
In terms of the implementation tiers, there are four of them, partial, risk informed, repeatable and adaptive, and it goes from small to large, or informed to less informed. So the highest that you can get is to be adaptive, and that’s where you’re in a situation of being really risk informed about cyber threats and vulnerabilities, and you even get to a point of being predictive, and so, you can anticipate where some of the threats might come from.
The lowest tier is the partial, which is, when a company’s cybersecurity activities are not really risk informed or aligned to the organization’s objectives or threat environment, so the goal is to be in the implementation tier where you are actually in the adaptive stage.
In terms of the framework profile it’s really a situation of where we are now and where we want to be, so a company should look at what its current risk profile is, what its current cybersecurity stature is, where it wants to be, so it’s target profile, and then figure out what the gap is in between and how it intends to get there.
In terms of how it relates to the FTC, so the FTC’s actions actually preceded the NIST framework. The FTC has had about 60 or so enforcement cases since 2001, Section 5 of the FTC’s focus is on preventing deceptive and unfair business practices in data security area. And so, what the FTC focuses on is to look at the volume and sensitivity of the business enterprise, the complexity of the enterprise, the cost of the tools to address the vulnerabilities of the enterprise, and so, it really focuses on reasonableness, so this concept of NIST being flexible and applicable across many industries is very similar to the FTC’s very reasonable standards in light of the circumstances that the business operates.
John W. Simek: Well, Denver, I think you did a really great job in explaining what that NIST framework is, but how can a company use that framework and the FTC’s guidance to minimize their cybersecurity risk?
Denver Edwards: Sure. So as I mentioned the FTC has been doing a lot of work in this area prior to the creation of the NIST framework, and in 2015 the FTC rolled out an initiative called Start With Security, and so I’ll just go through a couple of the issues raised by the FTC’s Start With Security initiative and you’ll see that they’re somewhat similar to the NIST framework. So the first and foremost thing that the FTC recommends is that you start with security and that means that not collect unnecessary personal information about a customer and you only keep information as long as it’s necessary, so that could be part of the identification function of the NIST framework, where you’re looking at the kind of data that you have, you are doing a risk assessment of that data, and determining whether or not it’s useful to you, and for how long it’s useful.
Another area that the FTC focuses on is access control, to make sure that only people who need to have access to the information has that access. It also focuses on secure passwords and authentication to make sure again that individuals do not breach the system who do not have access or need to get to the information. The FTC also focuses on how you store information and how you transmit information such as when you’re transmitting an email or some other communication, is it encrypted? When it’s at rest, sitting on your servers, is it encrypted so that if someone has access to it they have to reconstruct the data before they can use it?
A few other points that the FTC raises would be to segment your organization’s network so that you don’t want to be in a situation where everything is integrated, and if you’re breached, they have access to all the goods, perhaps you want to have Internet that is segregated from the overall computer system of the enterprise.
It also focuses on monitoring and trying to figure out who is using your system and how they’re using your system, so again, that ties into the detection function of the NIST framework.
One or two more points talks about — the FTC talks about your service providers and making sure that they have adequate security policies and procedures in place. So this is just an example of the way that the NIST framework is actually adapted more to the FTC’s actions rather than the other way around, but together if you look at both a NIST framework and you look at some of the FTC’s enforcement actions you will see that there is a lot of synergies between them and if you follow both of them, I think it can inform you as to what your cybersecurity risk profile should be.
Sharon D. Nelson: Yeah, I saw a video about three and-a-half minutes online, which was very good about how the NIST framework aligned with the FTC, and I thought the word “aligned” was a very good word; it’s just exactly what you’ve been talking about. So let’s talk about New York in their Department of Financial Services. They enacted a new cybersecurity law in 2017, what are the critical elements of that law, and what if any implications do you see from its enactment?
Denver Edwards: Sure. So the cybersecurity law in New York has been much discussed recently, and I like to divide things into phases, so I think this law has three phases as well. So it has an administrative requirement, it has technical controls, and it has notification and reporting requirements. The New York law applies to any entity that receives a license, a registration, a charter, a certificate or a permit under the New York State banking laws, insurance laws or financial services law, and so let’s look at the administrative controls and it’s very similar to the NIST framework in some respects as well. So it requires that there be a cybersecurity program to protect the covered entity’s information system and net worth, and as I mentioned many of the features look like the functions of the NIST framework to identify, protect the tech, respond and recover.
The second administrative requirement is that there be written cybersecurity policies and procedures and these policies and procedures must be approved by senior leadership or the board of directors, they must relate to the governance of the organization system security, asset classification, risk management, vendor management, encryption, multi-factor authentication, response planning, there must be the appointment of a chief information security officer that reports to the Board regularly, so many of these policies relate very closely to the functions of the NIST profile.
In terms of technical controls, the New York law requires data encryption and an annual review of how the information is encrypted, and how information is transferred, whether there is encryption at rest, whether there is encryption in transit, also features of the NIST framework.
It also speaks about multi-factor authentication and password protections, ranging from just a regular password or biometric features. Monitoring is also a big part of this cybersecurity law, requires annual penetration testing, requires biannual vulnerability assessments, and also monitoring and tracking the use of the system, so to make sure that the people who are using the system actually has authorization to do so.
And then, obviously, talks about recovery of information, it has a very detailed requirement about an audit trail to track cyber incidents, and also having adequate backups to reconstruct financial data, and then finally, in terms of reporting, it requires that the CISO or some other senior officer, submit a certification much like you see in SOCs to the Superintendent of Department of Financial Services on an annual basis indicating compliance with the new cybersecurity law. And the final bit of notification, if there’s a cyber incident, you must notify Superintendent within 72 hours, which is a pretty short timeframe when you don’t know exactly what’s going on yet.
John W. Simek: Wow.
Sharon D. Nelson: Yeah, that is short.
John W. Simek: Denver, the financial services are designated as a critical infrastructure, can you talk a little bit about what the financial services regulators are doing with regards to cybersecurity?
Denver Edwards: Sure. So I think the financial services industry is one of the more mature cybersecurity industries. A lot of what is going on in financial services is based on the Gramm-Leach-Bliley Act and the privacy rule that falls under that. Basically the Gramm-Leach-Bliley Act privacy rule says that a company cannot share private information of a customer or a consumer with any non-affiliated third parties without giving notice to the consumer about the privacy practices of the institution, without giving the consumer chance to opt out, making sure that the notice to the consumer that he or she can opt out is reasonable and the consumer actually opts out, so that’s the basic privacy rule.
Any other access to information is largely unauthorized, and so, a number of the agencies whether it’s the SEC, the Financial Industry Regulatory Authority (FINRA), the banking agencies, the CFTC, the CFPB, many of those agencies have rules around the protection of financial information, and so they’re called the safeguard rules, and the safeguard rules basically say that a customer’s private information must be protected and the institutions must have administrative, technical and physical safeguard to ensure that that happens. So the SEC is what I’m most familiar with, and so, the SEC has Regulation S-ID which talks about identity theft, it has Regulation S-P which talks about safeguarding generally customer information, but it also has more institutional aspects too, such as Regulation SCI which talks about business continuity of market trading systems, so the exchanges or alternative trading systems.
FINRA has gotten into the mix and it developed a very elaborate set of rules and practices around cybersecurity that focus on governance, risk assessment, technical controls, response planning, vendor management, training, things of that nature, and then finally, in that space there also have been a number of enforcement actions. So the regulatory bodies have taken enforcing cybersecurity and have hit institutions with some pretty significant penalties, and I think that they are going to continue, so that’s the security side.
On the banking side they basically followed the Gramm-Leach rule, but there are other institutions within — on the banking side of the financial services industry that have also come into the fore. There’s the federal financial institutions examination Council, the FFIEC, which has developed an assessment tool that asks banks to focus on cyber risk management, threat intelligence, cybersecurity controls, external dependency and resiliency, and recovery once a cyber threat has happened.
But one final bit of change has occurred, there is now a rule-making that’s out, it’s not been finalized but it’s been out for comment, where you have the banking agencies looking at institutions that are considered systemically important to participate in enhanced risk management, in which they would want to make the cyber risk government a legal requirement as opposed to a voluntary requirement that the NIST framework focuses on. It focuses on risk management that really seeks to segregate each business unit and look at the risk associated within each business unit of a bank or banking institution and then aggregate those risks and see what overall the enterprise-wide risk is. And so, a number of things like that are in the work and there’s a lot to look forward to.
John W. Simek: Great. Well, before we move on to our next segment, let’s take a quick commercial break.
Advertiser: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your client’s peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digital%20detectives”sitelock.com/legal/digital detectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigations, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit HYPERLINK “www.pinow.com”www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Cybersecurity 2.0: Creating Order from the Regulatory Landscape to Build a Strategic Advantage. Our guest is Denver Edwards, who is a Principal at Bressler, Amery & Ross, P.C. in New York.
John W. Simek: Well, Denver, another question for you is what role should the U.S. government have in defending the private sector?
Denver Edwards: So, I think that the primary role of the U.S. government in protecting the private sector is to create a regulatory structure and provide minimum standards that are necessary to protect private industry and consumers from data intrusions and then also to share information about cyber threats, vulnerabilities, and mitigations.
Currently, there is a patchwork of legislation that is out there governing many industries. I won’t go through all of them because we would be on this call forever. So, I think the government has done a fair job of creating that environment.
Now, the second thing is that there are State laws, there about 47 State laws along with the District of Columbia, Guam and Virgin Islands that also have their own cybersecurity laws, and then you have the standards on top of that, like the NIST standard, for example. So I think there is a fair amount of information that’s out there about how to go about protecting information security.
On the other side of that information sharing, I think there’s been the Information Sharing Act of 2015, which is intended to enhance information sharing between public entities and private entities. You also have what’s called Information Sharing Analysis Centers that have developed to share intelligence about vulnerabilities and threats among industry participants as well as with the government, and then finally, you have the Justice Department and the FBI that share intelligence about threats in cyberspace.
I think the government actually has the right framework if the question of whether businesses will adopt a lot of these frameworks and how they use it going forward.
Sharon D. Nelson: Well, here’s a very loaded question. Do you have any expectations for the Trump administration regarding cybersecurity, because we really have not seen much thus far?
Denver Edwards: Well, actually I have great expectations for the Trump administration. Cybersecurity is one of the few bipartisan issues in Washington, and interestingly enoughm recently, as recent as May 11 of 2017, Donald Trump signed an Executive Order regarding cybersecurity. The Executive Order is intended to have all the federal executive agencies do a comprehensive review of the adequacy of their cybersecurity risk management policies and procedures related to critical infrastructure, and then also to assess the current education policies regarding development of a robust cybersecurity workforce. Now there are a couple of key features to this Executive Order that focuses on critical infrastructure, in particular, it focuses on the energy grid, the electricity grid, and the readiness of the United States to manage the consequences of an incident and how quickly we can get up to speed.
So what President Trump has done is basically directed his Homeland Security Secretary, Secretary of Energy, to work with local governments and the various intelligence agencies to figure out how we can respond to intrusions on our critical infrastructure, but what’s going to happen is the regulated entities in all of these executive branches will start having information request to industries that they regulate having technical conferences, having requests for documentation to see what their incident response plans are under the circumstances, and this is usually a precursor to additional rule-making, and even if there isn’t additional rule-making by focusing on this, you start to see people become more concerned about cyber, and hopefully, take it seriously and implement procedures and policies that will make it safer.
And I would add one thing, he’s done this within the first 200 days of his administration. The prior administrations either didn’t do it very well, and certainly, in the last administration, nothing happened until six years in, so he’s actually ahead of schedule.
John W. Simek: Well, let’s move on to Target and they’ve recently settled their Class Action Lawsuit, can you tell us about businesses and what can businesses learn from that Target litigation?
Denver Edwards: Yeah, so I think most folks understand the Target, the context of what happened in Target, so I’ll just summarize what I think is the key takeaways there. Target paid $18 million to settle with the states. $18 million is the largest cyber fine so far, but the takeaway is that Target probably spent over $200 million on indirect cost associated with the cyber breach, and so, I think it’s really important for folks to not only look at the direct cost but also the indirect cost.
One takeaway I think is that notwithstanding whether you are deliberate or you are incompetent if there is a cyber breach that cause personally identifiable information to be stolen and acted upon, you will face liability.
Second thing is that because there is a panoply of federal laws, I think that the states are really going to step in and act like many FTCs and take up the mantle of ensuring data security among consumers, and the third point I would make really quickly is that the first Class Action that was settled all that Target had to put in place was written supervisory policies and do a periodic review of safeguards. Now, there is a requirement for there to be a CISO, CISO reporting to the Board, SB-10 testing, access control and privilege management, third-party, vendor management, multi-factor authentication, encryption, et cetera, et cetera.
So, now all of these are required for this settlement, and which by the way is very similar to the requirements under the financial services protocol, so I think those are some of the takeaways that I would have from Target.
Sharon D. Nelson: So, Denver, what for predictions do you have, if any, regarding cyber threats for 2017 from a regulatory perspective?
Denver Edwards: Sure. From a regulatory perspective, I think that there will be more laws along the lines of the New York regulation which is a bit more prescriptive than a lot of the other laws, and I think the questions are going to be how many states implement such laws and whether or not they are actually more assertive or more prescriptive than what the New York State Department of Financial Services has done.
In terms of regulatory issues, that’s really the main one that comes to mind. I think that there are a lot of other issues that we look for in 2017, but I think the concept of prescriptive versus voluntariness is going to be the big issue that we’re looking for in 2017.
Sharon D. Nelson: Well, we’ve talked about cybersecurity a lot, but I don’t think ever from a regulatory perspective, so this was tremendously interesting in a whole new way of looking at it. So, thank you very much for sharing your expertise with us today, Denver, this was great.
Denver Edwards: Thank you. I am glad to have been able to participate.
John W. Simek: That does it for this edition of Digital Detectives, and remember, you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or in iTunes. If you enjoyed this podcast, please review us on iTunes.
Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics Technology and Cybersecurity Services at HYPERLINK “http://www.senseient.com” senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.