On many occasions, I have seen a “Top 10 List” for predictions. Some stakeholders on social media give little credence to these predictions because – why does it matter? It is not like you get a trophy at the end of the year for the most correct predictions? It would be fun to see Las Vegas create an over/under line on these annual traditions in the cybersecurity arena.
I think the value of these Jimmy the Greek escapades is to provide ample warning of what people should be thinking about proactively. This begs the question of how much do people actually read these things and if they do, how (if at all) does this fit into their corporate risk management modeling?
In an effort to promote awareness, with a dose of humor, please take these predictions with a grain of salted caramel. Please note these are not in rank order of priority.
Prediction #1 – National Breach Notification Law (Not going to Happen)
As a result of the Equifax breach in 2017, there has been a lot of clamoring and posturing by the U.S. Congress on this matter. With 48 states already in play and expanding regulatory requirements like NYDFS Cyber, etc., the probability that the Congress will get in lock step on this outside of the most recent news cycle is slim to none. You have to remember, the Russians are coming to “getcha” via the digital election process and that clearly is more important than holding businesses accountable.
Prediction #2 – Cyber Talent Shortage
Not sure what the exact or correct number is but all data supports a huge deficit in this area. I always found this odd as in an industry with pretty much a 0% unemployment rate, you would think many would flock to these programs, so what’s the deal?
- U.S. Citizens measure success by how well we play sports or other means of illustrating that we are “winning”.
- The rough percentage of students that take Computer Science or Cybersecurity college level coursework that are foreign nationals, is over 67%. (Data collected when supporting DHS Cyber Skills Task-force)
- College programs are to heavy on theory and policy and not creating enough “bangers”. EDU should start to focus on classes on firewalls, SPLUNK, FireEye, TANIUM, RedSeal, etc.
- Colleges incorrectly believe additional training will be provided by the employer. With an average tenure of less than 3 years per job in cyber,….not going to happen with the exception of a rare number of employers.
So the shortage will continue in the U.S. Labor Markets and we will unlikely take effective measures to address this threat. (Buying more cyber widgets won’t suffice)
Prediction # 3 – The year of the penalty and the call on the field is under review
Now that we have NYDFS Cyber Law fully in force and GDPR is slated for May 25th, look to see these regulatory bodies identify a whipping boy to make an example of. This will be followed by an inevitable appeal by the defendant that will likely be heard at the State Supreme Court level or U.S. Federal Appellate Courts.
Depending on how egregious the error is, the defendant will likely seek options to keep out of the spotlight and I seriously doubt that Commissioner Vullo will waiver on taking the company to task.
The FTC will step up enforcement actions as a secondary enforcement action on NYDFS Cyber violations.
The EU will work closely with U.S. Stakeholders on Privacy Shield implications and devise enforcement strategies on U.S. firms that improperly protect EU resident data when goods and/or services are implied. (Example may include mailing lists when the domain doesn’t even have HTTPS connection or similar).
The U.S. DOD will issue an award subject to DFAR that will be protested because the Prime or Sub to the Prime failed to meet the Safeguarding Clauses (e.g. NIST 800-171 compliance). In this scenario, the DOD will learn valuable lessons on why the language in applicable solicitations will need improvements to better define Controlled Unclassified Information (CUI) specificity and applicability.
Prediction #4 – Uber – The hits just keep on coming
In 2018, we will likely see very unique legal strategies by U.S. Regulators and Uber’s Insurance Carrier. Uber’s data breach in 2017 is unique because of the alleged willful wrongdoing by “intentionally” not disclosing the breach to each of the 48 state attorney generals where notification is required by law. Where most causes of action on cyber litigation are predicated upon “harm”, state attorney generals will have a field day pursuing financial sanctions that will inherently impact the corporate bottom line and ultimately shareholder value.
Over simplifying but here is how Uber is different than Equifax and TARGET.
All three had technical issues that were driven by operational gaps in capability and/or performance. However, the fact that Uber intentionally (again, all alleged until proven in a court) did not disclose to the attorney generals constitutes an overt act to cover up the breach and failing to comply with state laws. If the dereliction in meeting the standard if care is proven to be intentional, then a potential exists for those C-Suite parties that were complicit to face criminal charges. So yes TARGET and Equifax CEOs were forced out of their jobs but if you add criminal prosecution to the mix, the degree of accountability becomes more visible to those business leaders.
Prediction #5 – Ransomware and Law Firms
I have seen a lot of predictions about the increase of ransomware attacks on the healthcare sector and I do not disagree but look for cases that are leaked to the press by law enforcement or corporate insiders about law firms that are held hostage just days or weeks before a massive case or Mergers and Acquisition activities.
Law firms remain one of the single best targets for adversaries to gain intelligence and if medical office will pay $15-$45k in Bitcoin to restore operations, how unlikely is it that a law firm wouldn’t pay to keep it quiet and protect their reputation or worse.
Prediction # 6 – Cyber insurance more pervasive
In 2016, the adoption rates of U.S. companies having cyber insurance was about 19%. In 2017, it looks to track for 31% (huge jump). There are always concerns about will the coverage payout. The short answer is “yes”. But as claims flow in more frequently, the insurance sector will need to re-evaluate how they measure risk beyond simply “yes/no” responses to the most basic of technical questions.
The mere fact that a company has a policy should provide comfort but not misaligned hubris in thinking that the system owner can transfer all the risk to the policy and not meet a duty to protect. As in the Uber case, if it is found that a basis exists to not pay on D&O, that may carry over to cyber coverages preventing a claim from being honored.
Prediction # 7 – M&A cyber risk impacts to valuation
As the DOW continues to increase and people are overjoyed with corporate taxes coming down, there is likely going to be an uptick in Mergers and Acquisitions (M&A). As a result of the Verizon/ Yahoo and Marriott/SPG mergers, the need to better ascertain the cyber risk profile of a company subject to an acquisition will become more prevalent.
To date, M&A activities rarely even explore what the real cyber risk profile is until after the valuation is already done. When you consider the costs of data breach notifications, responses to state attorney generals, FTC, and other regulatory bodies, the bottom line must also include the cyber risk that may be introduced as a result of a merger or acquisition. More specifically, how much impact exists with each organization’s supply chain as the Soha Survey identified 63% of all breaches were tied to a third party business partner.
The National Association of Corporate Directors (NACD) published a report titled “2017–2018 NACD Public Company Governance Survey”. Judy Selby did a remarkable write up on this report that can be found here. Of particular importance is the following:
“Twenty-two percent of directors indicated dissatisfaction with the quality of cyber risk information they receive from corporate management. Those directors do not believe that they have adequate transparency into the company’s cyber security problems or that the information they are receiving does not allow for effective internal and external benchmarking.”
What this conveys is a continued challenge experienced in the cybersecurity sector that technical threats are not being translated into business risk. The aspect of being able to benchmark is attainable only if organizations elect to participate in information sharing models, which many do not.
On December 12th, HEMISPHERE will be featured at the winter SSCA event at MITRE. During this afternoon session, we will highlight highlight lessons learned from 15 independent engagements of small and medium size organizations. The audience would have data points for the following:
1) most common gaps
2) most common adoptions
3) risk variances identified (GovCon vs. Commercial enterprise)
4) avg. Costs to remediate to be fully compliant with 800-171 plus a number of other controls that when not followed, historically result in a cyber incident resulting in sanctions or litigation
4) avg risk response maturity (levels 1-4)
5) breakdown of how many assessments done direct vs. client’s law firms
We hope you can attend.
HEMISPHERE is pleased to announce we are now part of the The Information Technology Sector Coordinating Council (IT SCC) serves as the principal entity for coordinating with the government on a wide range of critical infrastructure protection and cybersecurity activities and issues. The IT SCC brings together companies, associations, and other key IT sector participants, to work collaboratively with the Department of Homeland Security, government agencies, and other industry partners. Through this collaboration, the IT SCC works to facilitate a secure, resilient, and protected global information infrastructure..
HEMISPHERE will be focusing on supporting the IT-SCC mission goals and objectives pertaining to small and medium size business interests.
For more details about the Council, please click here.
In past blogs on this site or at CSOonline’s Cyber Insurance Forum, the topics of enhanced regulatory requirements for the insurance sector have been highlighted. On October 24th, 2017 the National Association of Insurance Commissioners announced the passing of their Model Law that all licensee’s will be subject to. This new law essentially aligns with the State of New York’s Financial Services Cybersecurity Law to ensure each entity establishes a minimum level of cyber risk mitigation practices to protect non-public data.
So first off, what exactly is a licensee? According to the NAIC, “Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
As of 2015, there were about 1.7 million individuals that meet this definition. While each state commissioner will still have to determine adoption timelines, it is important to note that while every state may not adopt, the likelihood the majority of them will follow suit is quite high. After New York launched its requirements, the State of Colorado quickly followed and California already had things in the works. So what does this actually mean for the industry?
Up until a few years ago, if I met with my local State Farm agent “John Smith” and completed the necessary paperwork for an auto policy, I would presume it was at the State Farm Headquarters. WRONG! In point of fact, the majority of agents have unique employment agreements and these “agents” work from home, strip mall site, etc. The point being that what we as consumers may imagine are in play for safeguarding our personally identifiable information is likely more consistent with the average home user…..enough said. Now, that is not to say that when you complete an online policy for the big five carriers that you need to worry as they generally have fair levels of cyber defense solutions in place.
The model law requires the implementation of a formal written program in addition to having adequate technical and operational best practices to protect non-public information such as social security numbers, financial data, home addresses etc. While speaking with the Independent Insurance Agents of Virginia, I was curious how many records the average small agent shop has. I was thinking hundreds? Actually it is more like a thousand. So then it becomes a question of does John Smith have a cyber plan in place to identify, detect, and respond to a cyber incident? What about full disc encryption or multi-factor authentication?
HEMISPHERE has designed a solution to specifically meet these new requirements that enables these business owners to meet these requirements in the most cost effective manner possible. For more details on our newest service offering, please click here.
For more information, please contact us at (703) 881-7785 to discuss how these new requirements will impact your operations.
Regardless of the size of your business, having the ability to adequately respond to a crisis event is critical. Most business owners will look at perils such as fire, flood, theft, etc. On September 27th, 2017, HEMISPHERE presented with GENEDGE on how cyber is a peril of equal concern. Rather than talking about the actions of hackers, in this session, we explore prudent and pragmatic approaches towards cyber risk.
Key takeaways for the audience:
- Smaller businesses are preferred targets
- Not having one can impact your ability to respond to U.S. Government solicitations
- Understanding the financial risks of not having a cyber plan
Please review our presentation here.
Earlier this week, I was fortunate enough to listen in to a webinar with Robin Basham, Bob Metzger, and Lisa Harchuck Popadic. This webinar highlighted the Global Data Protection Regulation (GDPR). GDPR is the newest privacy law regulating how custodians of Personally Identifiable Information (PII) of individuals residing in 28 partner countries should protect said PII.
The GDPR is a lengthy read but the Cliff Notes version is this, the way in which you are required to manage PII of any individual within the 28 countries that are defined is likely going to be problematic for U.S. business owners. Of particular interest was a topic that Ms. Basham brought up on the topic of data retention. If you have PII of Carlos Smith from Spain, you do not simply get to keep that data in perpetuity. There is a “Right to be Erasure” clause, which is an update to the former Safe Harbor agreement where a “Right to be Forgotten” existed as a result of a civil case “Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)”
Ms. Basham went on to describe a scenario where even if the PII was thought to be removed or “erased” from the custodian, if a breach took place and said record was one of the records disclosed because the business owner was not aware that an employee with BYOD permissions still had that specific record on the device, the company may look at a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6).
This issue is compounded by U.S. firms that are relying on cloud-based capabilities. Absent of signing up for very restrictive terms and conditions that ensure the data residing on an infrastructure as a service or “IaaS” on a specific asset, the ability to physically control where the record of Carlos Smith went is very problematic.
If you are a government contractor “GovCon” and you rely on European business partners, what types of data are you maintaining? If you answer, “well, I don’t”, think again. Do you have any of the following?
- business partner’s name
- banking details to allow for payments via ACH
Bob Metzger highlighted how GovCons now have to abide by recent changes to the Defense Federal Acquisition Regulations (DFAR) that directs GovCons to implement NIST SP800-171 “Protecting Controlled Unclassified Information on Non-Federal Systems”. The reason this added great value to the discussion is because the goals and objectives of GDPR and DFAR are very different. DFAR is designed to focus on security and GDPR is designed to focus on privacy. The point being made that while different objectives, similar outcomes are possible.
I recently had a discussion with an insurance carrier that was interested in HEMISPHERE’s cyber risk exams for applicants. One of the questions was, “does it focus on security or privacy”? While you can have cybersecurity without directly tying to privacy, you cannot reduce privacy risks without the implementation of cybersecurity best practices. So if a GovCon is able to demonstrate capabilities that align with the 110 controls currently in play, these same controls will likely have a significant impact in reducing the GovCon’s cyber risk exposure to a privacy violation under GDPR.
For more information as to how HEMISPHERE can help you meet you cyber, legal and insurance concerns, please contact us for a free consultation at (703) 881-7785 or email us at firstname.lastname@example.org .
If you have followed any of my past posts, you are probably familiar with the Department of Defense Federal Acquisition Regulations (DFAR). Recently I attended an event at the MARK Center that was titled “Network Penetration Reporting and Contracting for Cloud Services”. If you have never been to this facility, what a great experience. Getting into the Pentagon is easier!
I was pleasantly surprised to see attendees coming from New York to Florida in anticipation of learning more about what the Department of Defense intends to require government contractors to demonstrate as far as cyber hygiene. There has been a significant amount of ambiguity in terms of what is in the DFAR versus what industry believes it is saying and this session would hopefully shed some light on these issues.
The event had several panelists from various disciplines supporting DoD, including the Deputy CIO. After each segment, a Q&A was afforded to the audience (approximately 200 attendees). A number of questions pertained to gaps in the linkage between sections of the FAR and what implications flow down may have. A number of scenarios were highlighted that included the use of cloud and other forms of subcontractors.
What was interesting to me was a lack of ability to see the panel operating off the same sheet of music. Each scenario posed seemed to be met with very ad hoc responses that in some cases appeared to have panel members contradicting one another.
An even more pressing issue was the tone of this session as the DoD stipulated at the onset, that this session was to highlight requirements and answer questions. This was followed by a unilateral “we are not changing this so get over it” type of preamble. You could hear the grumblings amongst the attendees as most were there to highlight gaps that require clarification by DoD and in many ways, justification to amend based on the issued identified.
One question raised was if you use a FedRAMP approved cloud service provider and they have requirements that are well beyond the implementation of NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems”, is the contractor obligated to adhere to the remaining controls prescribed under NIST 800-53. Short answer, “yes”. The entire audience pretty much gasped with rumblings of “then why not impose 800-53 and be done with it?!”
This issue was compounded further when the panel highlighted the following taken from Section 7012:
“The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.
For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at email@example.com, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”
The panel made reference to each prime using reasonable judgement to determine what subcontractors have an actual need to know/access covered defense information (CDI). What seems to be missing here is a lack of understanding how teaming arrangements work in the government contracting community. If you have ever pursued a solicitation for an Indefinite Delivery Indefinite Quantity (IDIG), you know this is merely a hurdle and in no way promises work. Upon award of an IDIQ, the prime gets to determine who on the team will compete for subsequent task orders. Most utilize a “best athlete” approach. Meaning that whichever subcontractor has the best person or widget for the specific task order, will be submitted for consideration to pursue said task order.
Since nobody can predict the future, how can I prime determine in this scenario, who ultimately may have access to CDI. If all contractors shall implement NIST 800-171 no later than 12/31/2017, if you have an IDIQ out for bid right now and you are not already aligning with NIST 800-171, what does that mean? If the IDIQ is set for submission no later than 6/30/2017, that means that the review period will run through at least October with a likely award date in February 2018. So those who cannot attest that they are aligned with 800-171 as of now, are kind of hosed.
With 110 unique controls that must be met, including clearly defined Plans of Actions and Milestones (POAMs), are you ready to attest in writing that you are good to go as of January 1, 2018? It is right around the corner and many elements remain ambiguous as a result of what was not clarified at Industry Day. Let HEMISPHERE help your organization prepare to meet these unique challenges.
When Law Firms are on the hook
A recent case was brought to my attention that is noteworthy. An article published by James Kurz “Failure to use basic protections when transferring electronic files results in waiver of privilege” highlights the criticality in not underestimating risk exposure to law firms. What would normally be construed as almost “bullet-proof” methods for discussing a case under the banner of attorney-client privilege is coming under scrutiny when less than professional methods for protecting a client come into play.
When reviewing a checklist by the ABA, it is almost comical if not frightening, that the legal profession has such a low level understanding of what needs to be protected and how to do so. Back when the Panama Papers took place, I would have thought for sure, our phones would ring off the hook. Actually, quite the opposite. When engaging with law firms afterwards the general response was, “We are good. Our IT guy installed a firewall years ago”. Now as an American, you can make an argument “Hey, that’s Panama”. When you have a hubris that is so pronounced, even in the United States, the next time you engage an attorney you may want to ask the following:
- Years of experience?
- Handle cases like mine before?
- Percentage of cases with favorable ruling?
- How do you protect my information?
- Are there unique capabilities your firm will enable when electronically communicating with me (encryption, etc.)?
HEMISPHERE specializes in identifying what actually causes cyber risk and can support law firm’s best interests in the United States or abroad.
On May 30th, 2017, Charles Tindell interviewed HEMISPHERE’s CEO, Carter Schoenberg on cyber risk and cyber insurance. For the full interview, please see the Charles Tendell Show.