Earlier this week, I was fortunate enough to listen in to a webinar with Robin Basham, Bob Metzger, and Lisa Harchuck Popadic. This webinar highlighted the Global Data Protection Regulation (GDPR). GDPR is the newest privacy law regulating how custodians of Personally Identifiable Information (PII) of individuals residing in 28 partner countries should protect said PII.
The GDPR is a lengthy read but the Cliff Notes version is this, the way in which you are required to manage PII of any individual within the 28 countries that are defined is likely going to be problematic for U.S. business owners. Of particular interest was a topic that Ms. Basham brought up on the topic of data retention. If you have PII of Carlos Smith from Spain, you do not simply get to keep that data in perpetuity. There is a “Right to be Erasure” clause, which is an update to the former Safe Harbor agreement where a “Right to be Forgotten” existed as a result of a civil case “Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)”
Ms. Basham went on to describe a scenario where even if the PII was thought to be removed or “erased” from the custodian, if a breach took place and said record was one of the records disclosed because the business owner was not aware that an employee with BYOD permissions still had that specific record on the device, the company may look at a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6).
This issue is compounded by U.S. firms that are relying on cloud-based capabilities. Absent of signing up for very restrictive terms and conditions that ensure the data residing on an infrastructure as a service or “IaaS” on a specific asset, the ability to physically control where the record of Carlos Smith went is very problematic.
If you are a government contractor “GovCon” and you rely on European business partners, what types of data are you maintaining? If you answer, “well, I don’t”, think again. Do you have any of the following?
- business partner’s name
- banking details to allow for payments via ACH
Bob Metzger highlighted how GovCons now have to abide by recent changes to the Defense Federal Acquisition Regulations (DFAR) that directs GovCons to implement NIST SP800-171 “Protecting Controlled Unclassified Information on Non-Federal Systems”. The reason this added great value to the discussion is because the goals and objectives of GDPR and DFAR are very different. DFAR is designed to focus on security and GDPR is designed to focus on privacy. The point being made that while different objectives, similar outcomes are possible.
I recently had a discussion with an insurance carrier that was interested in HEMISPHERE’s cyber risk exams for applicants. One of the questions was, “does it focus on security or privacy”? While you can have cybersecurity without directly tying to privacy, you cannot reduce privacy risks without the implementation of cybersecurity best practices. So if a GovCon is able to demonstrate capabilities that align with the 110 controls currently in play, these same controls will likely have a significant impact in reducing the GovCon’s cyber risk exposure to a privacy violation under GDPR.
For more information as to how HEMISPHERE can help you meet you cyber, legal and insurance concerns, please contact us for a free consultation at (703) 881-7785 or email us at email@example.com .
If you have followed any of my past posts, you are probably familiar with the Department of Defense Federal Acquisition Regulations (DFAR). Recently I attended an event at the MARK Center that was titled “Network Penetration Reporting and Contracting for Cloud Services”. If you have never been to this facility, what a great experience. Getting into the Pentagon is easier!
I was pleasantly surprised to see attendees coming from New York to Florida in anticipation of learning more about what the Department of Defense intends to require government contractors to demonstrate as far as cyber hygiene. There has been a significant amount of ambiguity in terms of what is in the DFAR versus what industry believes it is saying and this session would hopefully shed some light on these issues.
The event had several panelists from various disciplines supporting DoD, including the Deputy CIO. After each segment, a Q&A was afforded to the audience (approximately 200 attendees). A number of questions pertained to gaps in the linkage between sections of the FAR and what implications flow down may have. A number of scenarios were highlighted that included the use of cloud and other forms of subcontractors.
What was interesting to me was a lack of ability to see the panel operating off the same sheet of music. Each scenario posed seemed to be met with very ad hoc responses that in some cases appeared to have panel members contradicting one another.
An even more pressing issue was the tone of this session as the DoD stipulated at the onset, that this session was to highlight requirements and answer questions. This was followed by a unilateral “we are not changing this so get over it” type of preamble. You could hear the grumblings amongst the attendees as most were there to highlight gaps that require clarification by DoD and in many ways, justification to amend based on the issued identified.
One question raised was if you use a FedRAMP approved cloud service provider and they have requirements that are well beyond the implementation of NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems”, is the contractor obligated to adhere to the remaining controls prescribed under NIST 800-53. Short answer, “yes”. The entire audience pretty much gasped with rumblings of “then why not impose 800-53 and be done with it?!”
This issue was compounded further when the panel highlighted the following taken from Section 7012:
“The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.
For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at firstname.lastname@example.org, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”
The panel made reference to each prime using reasonable judgement to determine what subcontractors have an actual need to know/access covered defense information (CDI). What seems to be missing here is a lack of understanding how teaming arrangements work in the government contracting community. If you have ever pursued a solicitation for an Indefinite Delivery Indefinite Quantity (IDIG), you know this is merely a hurdle and in no way promises work. Upon award of an IDIQ, the prime gets to determine who on the team will compete for subsequent task orders. Most utilize a “best athlete” approach. Meaning that whichever subcontractor has the best person or widget for the specific task order, will be submitted for consideration to pursue said task order.
Since nobody can predict the future, how can I prime determine in this scenario, who ultimately may have access to CDI. If all contractors shall implement NIST 800-171 no later than 12/31/2017, if you have an IDIQ out for bid right now and you are not already aligning with NIST 800-171, what does that mean? If the IDIQ is set for submission no later than 6/30/2017, that means that the review period will run through at least October with a likely award date in February 2018. So those who cannot attest that they are aligned with 800-171 as of now, are kind of hosed.
With 110 unique controls that must be met, including clearly defined Plans of Actions and Milestones (POAMs), are you ready to attest in writing that you are good to go as of January 1, 2018? It is right around the corner and many elements remain ambiguous as a result of what was not clarified at Industry Day. Let HEMISPHERE help your organization prepare to meet these unique challenges.
When Law Firms are on the hook
A recent case was brought to my attention that is noteworthy. An article published by James Kurz “Failure to use basic protections when transferring electronic files results in waiver of privilege” highlights the criticality in not underestimating risk exposure to law firms. What would normally be construed as almost “bullet-proof” methods for discussing a case under the banner of attorney-client privilege is coming under scrutiny when less than professional methods for protecting a client come into play.
When reviewing a checklist by the ABA, it is almost comical if not frightening, that the legal profession has such a low level understanding of what needs to be protected and how to do so. Back when the Panama Papers took place, I would have thought for sure, our phones would ring off the hook. Actually, quite the opposite. When engaging with law firms afterwards the general response was, “We are good. Our IT guy installed a firewall years ago”. Now as an American, you can make an argument “Hey, that’s Panama”. When you have a hubris that is so pronounced, even in the United States, the next time you engage an attorney you may want to ask the following:
- Years of experience?
- Handle cases like mine before?
- Percentage of cases with favorable ruling?
- How do you protect my information?
- Are there unique capabilities your firm will enable when electronically communicating with me (encryption, etc.)?
HEMISPHERE specializes in identifying what actually causes cyber risk and can support law firm’s best interests in the United States or abroad.
On May 30th, 2017, Charles Tindell interviewed HEMISPHERE’s CEO, Carter Schoenberg on cyber risk and cyber insurance. For the full interview, please see the Charles Tendell Show.
If you keep hearing about cyber risk and insurance and would like to learn more, check out the CSO Cyber Insurance Forum at: http://www.csoonline.com/blog/the-cyber-insurance-forum/
I recently was at an event where an individual representing a forensics firm was discussing with me the limited options when confronting Lockey and other forms of ransomware. There is a video on CSO that gives a great step-by-step on one remedy. I do not have any details as to if this will work with WannaCry.
Available at CSO
Business today increasingly relies on partners.
The increase in third party risk programs suggests security leaders take this seriously. The reality is our partners, often small and medium businesses, face growing challenges, too. Understanding the situation and current limitations is a key step in making sure everyone is properly covered.
Cyber insurance plays a key role here. The second of six perspectives in the Leading Security Change on Cyber Insurance explores the small business aspects.
I learned a lot during my conversations with Carter Schoenberg, CISSP, (LInkedIn, @carter1679) President & CEO of HEMISPHERE Cyber Risk Management, LLC. Carter is an industry veteran of 16 years who has served commercial and government clients with industry leading predictive analysis used by law enforcement, intelligence community, legal experts, and the insurance sector to address cyber risk.
We talked at length about the challenges of the small and medium businesses. We focused on a range of opportunities, including industry approaches, cyber security, and the role of security leaders at larger organizations to influence change.
Are SMB (small and medium businesses) too small to take cyber security and insurance seriously?
They used to ask John Dillinger why he robbed banks. He responded, “Cuz that’s where the money is.” Small business owners tend to forget they make up over 99% of all business in the United States, according to the U.S. Census Bureau. I do not know of a single small business that does not accept credit cards. Even micro business owners use Square or other point of sale mobile terminal capabilities. These same small businesses generally do not have network defensive capabilities let alone the ability to identify if an attack is even occurring – outside of the self evident ransomware attack. That is a pretty “target rich” opportunity. If you examine the fact that a recent survey by Small Business Trends where SMBs place such an emphasis on “Customer Records” but turns a blind eye to “Employee Records”, Houston – we have a problem!
I recently worked a case where a small business had to respond to 35 state attorney general requirements for disclosing a breach of PII (employee W2 data) and it was a massive blow to them financially in terms of internal manpower and paying for external subject matter expertise.
Most SMB’s fail to understand these factors and if your do not understand your risk exposure, how can you protect against or mitigate it? SMB owners may say, “Why would China or Russia want to come after me?” To a certain extent, they are correct but when you add context, they are factually wrong. If we mean nation state actors, perhaps they are not what you need to worry about. Men and women in uniforms are not the issue, individuals and groups acting in a collective within China and Russia are your problem.
How do we address the challenge of translating the risk in a way that SMB (and others) understand?
People in the field of cybersecurity are great at identifying technical threats. We fail miserably at translating it into business risk. If I were to say to a SMB client, “Management interfaces and services allow the remote management and administration of a host. If these services are available to the general enterprise network they are vulnerable to a wide range of attacks from the enterprise network user population. Almost all administrative services are vulnerable to brute force and password guessing attacks.”. What the heck are they supposed to do with that? Now let’s look at it differently.
“You have a vulnerability that we detected that can allow unauthorized access to your payroll and accounts receivables. There is information supporting the bad guys are actively taking advantage of this weakness you have and we want to limit your exposure to it. We have prepared some recommendations, based on risk and priority to guide you through how to resolve it. We estimate it will take about 2 man hours to resolve and have minimal impact on your business operations.”
Now you have translated a technical finding into a business risk, highlighted a solution based on priority and what is business and cost justified. The big challenge in the industry is that cyber has become so commoditized that people have become accustomed to paying good money for reports that add little or no value because they are not actionable or repeatable for SMBs.
What do enterprises need to think about when it comes to the SMBs they partner with or acquire?
Any technology professional who has ever lived through a merger or acquisition will tell you the same story. The Buyer’s CEO struck a deal with the Seller’s CEO. The acquisition is complete and IT (let alone cybersecurity) staff were never consulted and is now tasked to make Sales and HR functions interoperable immediately. As we can see by the chart below, the number of small businesses that are bought out is not trivial.
Unfortunately while the CEO’s are busy reviewing the books (revenues, pipelines, debt, etc.) they never look at what is the cyber hygiene of the Seller. Most recently (albeit not SMBs) both Verizon and Marriott have hit the presses in the last year because of the intent to buy out Yahoo and the Starwood Group realizing massive financial risk exposure after negotiations due to “undisclosed” breaches during the courting period. Regardless of business size, the Federal Trade Commission is taking a very stiff position on businesses that misrepresent their cyber capabilities when conducting commerce as it applies to transmitting, storing, or receiving personally identifiable information or otherwise protected data under statutory law or regulatory requirements.
What’s happening with the current state of the insurance marketplace?
Data supports that in 2015, the market value of cyber policy premiums was $1 billion dollars. This is expected to increase to as a high at $10 billion by 2025. In order to accomplish this target Cash Annual Growth Revenue (CAGR), the insurance sector must properly evaluate a business model that not only improves top line revenues but also improves bottom line estimates by reducing the volume and values of claims stemming from a cybersecurity event.
There are 63 firms selling cyber policies and one major firm alone currently has over 50,000 SMB clients with cyber coverages. Regardless of how many clients a firm has or their respective client’s size, they all continue to struggle with pricing. In many instances, pricing is likely set artificially high as one of the traditional questions a buyer is rated against is annual revenues. The higher the revenues, the higher the premium. In 2015, NetDiligence reported that 62% of all claims originated from small business. This data point alone could highlight a need to categorically reevaluate how to measure and assess cyber policy premiums and coverage amounts.
In the race to write policies, there was a misstep leading to the unforeseen volume and value of claims. This positioned policy writers to create unique lines of coverage and clearly defined “exclusions” to traditional general liability or errors and omissions policies where cyber coverages may have been “thought” to be covered.
How can cyber insurance help better address these issues?
Since 2011, DHS has been working with the insurance sector to see how to best work collaboratively and find common ground as to how to address cyber risk through insurance. The industry came back with a resounding, “We don’t have the data to standardize”. This has fueled the race to write policies with little regard as to how providing pre-event services (vulnerability assessments, network and host monitoring, security training, legal consultations) can dramatically reduce the likelihood of a claim instead of focusing on post-event services (breach notifications, forensics, incident response, credit monitoring, etc.) that cost an arm and a leg unless you have the power of collective buying like carriers do.
In March, the state of New York just imposed some pretty hefty cybersec requirements for any business in the financial services sector with $10m in annual revenues. The legislative act basically stated there was a business justification to warrant such measures. In 2017, there is a business justification that warrants a categorical shift in adopting pre-event service offerings within the scope of the policy premium versus waiting for the catastrophe. I liken this to the following historical events that we take as status quo but was not always around because legislation or industry did not mandate it:
Removal of lead paint and asbestos
What resulted? Dramatic decreases in civil tort action. We can talk cyber all day long as a national security interest but at the end of the day, the almighty dollar is what drives national policy and in this case cyber policy premium and coverage limitations.
Beginning on December 31st, 2017, all Government Contractors (GovCons) that sell technology, technology as a service, or services for technology (including staff augmentation) are bound by recent cybersecurity requirements from the U.S. Government.
There are approximately 300,000 GovCons and half of them are small businesses. These new requirements, as defined in the Defense Federal Acquisition Regulations (DFAR) does not distinguish by company size. Furthermore, similar requirements are now in play for federal civilian agencies as well. There are a number of articles that have been published by Robert Metzger and other industry experts on what exactly this means to the GovCon community.
Several challenges exist with these new requirements that range from demonstrating compliance with 110 controls as defined by the National Institute of Standards and Technology’s Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems” to showing a remote penetration test was conducted, to showing how an organization plans to address material weaknesses yielded from a security assessment, or even reporting a breach within 72 hours from the time of discovery.
Even if you can demonstrate aligning with the goals and objectives of these requirements, there is a much larger issue at hand. If the U.S. Government specifies in contract language that a GovCon must do “A, B, and C” or face sanctions and penalties that may include a false claims act for misreporting the actual status of the GovCon’s cyber hygiene to “…responsible for incident response costs, breach notifications, and credit monitoring of impacted record holders…” how would a GovCon be able to sustain such findings?
If the population size of small business GovCons is around 150,000 and we conservatively estimate that about 1/3 (or 50,000) are now within the scope of having to protect CUI as defined by NARA, that is a very large sample size given the fact that studies show that greater than 60% of small businesses close their doors in the face of a cyber event due to the financial implications. Lest we forget the fact that 48 states now have their own unique breach reporting requirements.
Let us look at the following example.
Small business GovCon in northern Virginia just won a contract with the US NAVY to support cyber operations and logistics in San Diego. This is a huge win for the company as it increases their size from 20 people to over 150 (with over 100 physically supporting the San Diego effort).
Something went bump in the middle of the night (pick your compromise of the day – Phishing, SQL injection, etc) and by all accounts, it appears the network owned or controlled by the small business is compromised. A recent Symantec survey shows 43% of all “targeted” attacks were against small businesses.
The small business owner picks up the phone to call the representative defined in the contract within the first 72 hours. NAVY facilitates an incident response query to assess the extent of damages. Fortunately, the ability to identify and eradicate the source of compromise was resolved in just one business day. Upon further review, the NAVY looks at what was reported by the GovCon and found that two-factor authentication was not implemented on admin accounts and this was a vector to access PII and other sensitive data.
Now the Government has a mechanism to consider a false claims act for misrepresenting what you actually had. Also, when you notified the Government within the first 72 hours, did you notify the State of California’s Attorney General? Did you even know you “legally” had to? Did you know that you are likely required to not only notify each employee of the fact their PII was compromised but also that you may need to provide credit monitoring services for at least a year?
How will you pay for all of this if you do not have cyber insurance to offset the costs? How do you even know where to turn to for cyber coverage? If you think you have it embedded within your General Liability or Errors and Omissions insurance, you would be wrong.
Don’t let the hard stop deadline of 12/31/17 pass you buy and prevent you from losing out on Government awards. Contact HEMISPHERE today to set up a free consultation to learn what you will need to do and how to maximize your profits by offsetting the costs tied to cyber risks,
Welcome to our Blog. Each week, we will provide you content on issues at the forefront of cybersecurity and cyber risk. In collaboration with CSOonline.com and other sources of content, we look to provide you a consolidated view of issues pertaining to:
– Cyber Insurance
– Hacking techniques
– Small business cybersecurity
– Statutory and Regulatory changes as they apply to cyber