The National Association of Corporate Directors (NACD) published a report titled “2017–2018 NACD Public Company Governance Survey”. Judy Selby did a remarkable write up on this report that can be found here. Of particular importance is the following:
“Twenty-two percent of directors indicated dissatisfaction with the quality of cyber risk information they receive from corporate management. Those directors do not believe that they have adequate transparency into the company’s cyber security problems or that the information they are receiving does not allow for effective internal and external benchmarking.”
What this conveys is a continued challenge experienced in the cybersecurity sector that technical threats are not being translated into business risk. The aspect of being able to benchmark is attainable only if organizations elect to participate in information sharing models, which many do not.
On December 12th, HEMISPHERE will be featured at the winter SSCA event at MITRE. During this afternoon session, we will highlight highlight lessons learned from 15 independent engagements of small and medium size organizations. The audience would have data points for the following:
1) most common gaps
2) most common adoptions
3) risk variances identified (GovCon vs. Commercial enterprise)
4) avg. Costs to remediate to be fully compliant with 800-171 plus a number of other controls that when not followed, historically result in a cyber incident resulting in sanctions or litigation
4) avg risk response maturity (levels 1-4)
5) breakdown of how many assessments done direct vs. client’s law firms
We hope you can attend.
HEMISPHERE is pleased to announce we are now part of the The Information Technology Sector Coordinating Council (IT SCC) serves as the principal entity for coordinating with the government on a wide range of critical infrastructure protection and cybersecurity activities and issues. The IT SCC brings together companies, associations, and other key IT sector participants, to work collaboratively with the Department of Homeland Security, government agencies, and other industry partners. Through this collaboration, the IT SCC works to facilitate a secure, resilient, and protected global information infrastructure..
HEMISPHERE will be focusing on supporting the IT-SCC mission goals and objectives pertaining to small and medium size business interests.
For more details about the Council, please click here.
In past blogs on this site or at CSOonline’s Cyber Insurance Forum, the topics of enhanced regulatory requirements for the insurance sector have been highlighted. On October 24th, 2017 the National Association of Insurance Commissioners announced the passing of their Model Law that all licensee’s will be subject to. This new law essentially aligns with the State of New York’s Financial Services Cybersecurity Law to ensure each entity establishes a minimum level of cyber risk mitigation practices to protect non-public data.
So first off, what exactly is a licensee? According to the NAIC, “Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
As of 2015, there were about 1.7 million individuals that meet this definition. While each state commissioner will still have to determine adoption timelines, it is important to note that while every state may not adopt, the likelihood the majority of them will follow suit is quite high. After New York launched its requirements, the State of Colorado quickly followed and California already had things in the works. So what does this actually mean for the industry?
Up until a few years ago, if I met with my local State Farm agent “John Smith” and completed the necessary paperwork for an auto policy, I would presume it was at the State Farm Headquarters. WRONG! In point of fact, the majority of agents have unique employment agreements and these “agents” work from home, strip mall site, etc. The point being that what we as consumers may imagine are in play for safeguarding our personally identifiable information is likely more consistent with the average home user…..enough said. Now, that is not to say that when you complete an online policy for the big five carriers that you need to worry as they generally have fair levels of cyber defense solutions in place.
The model law requires the implementation of a formal written program in addition to having adequate technical and operational best practices to protect non-public information such as social security numbers, financial data, home addresses etc. While speaking with the Independent Insurance Agents of Virginia, I was curious how many records the average small agent shop has. I was thinking hundreds? Actually it is more like a thousand. So then it becomes a question of does John Smith have a cyber plan in place to identify, detect, and respond to a cyber incident? What about full disc encryption or multi-factor authentication?
HEMISPHERE has designed a solution to specifically meet these new requirements that enables these business owners to meet these requirements in the most cost effective manner possible. For more details on our newest service offering, please click here.
For more information, please contact us at (703) 881-7785 to discuss how these new requirements will impact your operations.
Regardless of the size of your business, having the ability to adequately respond to a crisis event is critical. Most business owners will look at perils such as fire, flood, theft, etc. On September 27th, 2017, HEMISPHERE presented with GENEDGE on how cyber is a peril of equal concern. Rather than talking about the actions of hackers, in this session, we explore prudent and pragmatic approaches towards cyber risk.
Key takeaways for the audience:
- Smaller businesses are preferred targets
- Not having one can impact your ability to respond to U.S. Government solicitations
- Understanding the financial risks of not having a cyber plan
Please review our presentation here.
Earlier this week, I was fortunate enough to listen in to a webinar with Robin Basham, Bob Metzger, and Lisa Harchuck Popadic. This webinar highlighted the Global Data Protection Regulation (GDPR). GDPR is the newest privacy law regulating how custodians of Personally Identifiable Information (PII) of individuals residing in 28 partner countries should protect said PII.
The GDPR is a lengthy read but the Cliff Notes version is this, the way in which you are required to manage PII of any individual within the 28 countries that are defined is likely going to be problematic for U.S. business owners. Of particular interest was a topic that Ms. Basham brought up on the topic of data retention. If you have PII of Carlos Smith from Spain, you do not simply get to keep that data in perpetuity. There is a “Right to be Erasure” clause, which is an update to the former Safe Harbor agreement where a “Right to be Forgotten” existed as a result of a civil case “Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)”
Ms. Basham went on to describe a scenario where even if the PII was thought to be removed or “erased” from the custodian, if a breach took place and said record was one of the records disclosed because the business owner was not aware that an employee with BYOD permissions still had that specific record on the device, the company may look at a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6).
This issue is compounded by U.S. firms that are relying on cloud-based capabilities. Absent of signing up for very restrictive terms and conditions that ensure the data residing on an infrastructure as a service or “IaaS” on a specific asset, the ability to physically control where the record of Carlos Smith went is very problematic.
If you are a government contractor “GovCon” and you rely on European business partners, what types of data are you maintaining? If you answer, “well, I don’t”, think again. Do you have any of the following?
- business partner’s name
- banking details to allow for payments via ACH
Bob Metzger highlighted how GovCons now have to abide by recent changes to the Defense Federal Acquisition Regulations (DFAR) that directs GovCons to implement NIST SP800-171 “Protecting Controlled Unclassified Information on Non-Federal Systems”. The reason this added great value to the discussion is because the goals and objectives of GDPR and DFAR are very different. DFAR is designed to focus on security and GDPR is designed to focus on privacy. The point being made that while different objectives, similar outcomes are possible.
I recently had a discussion with an insurance carrier that was interested in HEMISPHERE’s cyber risk exams for applicants. One of the questions was, “does it focus on security or privacy”? While you can have cybersecurity without directly tying to privacy, you cannot reduce privacy risks without the implementation of cybersecurity best practices. So if a GovCon is able to demonstrate capabilities that align with the 110 controls currently in play, these same controls will likely have a significant impact in reducing the GovCon’s cyber risk exposure to a privacy violation under GDPR.
For more information as to how HEMISPHERE can help you meet you cyber, legal and insurance concerns, please contact us for a free consultation at (703) 881-7785 or email us at firstname.lastname@example.org .
If you have followed any of my past posts, you are probably familiar with the Department of Defense Federal Acquisition Regulations (DFAR). Recently I attended an event at the MARK Center that was titled “Network Penetration Reporting and Contracting for Cloud Services”. If you have never been to this facility, what a great experience. Getting into the Pentagon is easier!
I was pleasantly surprised to see attendees coming from New York to Florida in anticipation of learning more about what the Department of Defense intends to require government contractors to demonstrate as far as cyber hygiene. There has been a significant amount of ambiguity in terms of what is in the DFAR versus what industry believes it is saying and this session would hopefully shed some light on these issues.
The event had several panelists from various disciplines supporting DoD, including the Deputy CIO. After each segment, a Q&A was afforded to the audience (approximately 200 attendees). A number of questions pertained to gaps in the linkage between sections of the FAR and what implications flow down may have. A number of scenarios were highlighted that included the use of cloud and other forms of subcontractors.
What was interesting to me was a lack of ability to see the panel operating off the same sheet of music. Each scenario posed seemed to be met with very ad hoc responses that in some cases appeared to have panel members contradicting one another.
An even more pressing issue was the tone of this session as the DoD stipulated at the onset, that this session was to highlight requirements and answer questions. This was followed by a unilateral “we are not changing this so get over it” type of preamble. You could hear the grumblings amongst the attendees as most were there to highlight gaps that require clarification by DoD and in many ways, justification to amend based on the issued identified.
One question raised was if you use a FedRAMP approved cloud service provider and they have requirements that are well beyond the implementation of NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems”, is the contractor obligated to adhere to the remaining controls prescribed under NIST 800-53. Short answer, “yes”. The entire audience pretty much gasped with rumblings of “then why not impose 800-53 and be done with it?!”
This issue was compounded further when the panel highlighted the following taken from Section 7012:
“The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.
For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at email@example.com, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”
The panel made reference to each prime using reasonable judgement to determine what subcontractors have an actual need to know/access covered defense information (CDI). What seems to be missing here is a lack of understanding how teaming arrangements work in the government contracting community. If you have ever pursued a solicitation for an Indefinite Delivery Indefinite Quantity (IDIG), you know this is merely a hurdle and in no way promises work. Upon award of an IDIQ, the prime gets to determine who on the team will compete for subsequent task orders. Most utilize a “best athlete” approach. Meaning that whichever subcontractor has the best person or widget for the specific task order, will be submitted for consideration to pursue said task order.
Since nobody can predict the future, how can I prime determine in this scenario, who ultimately may have access to CDI. If all contractors shall implement NIST 800-171 no later than 12/31/2017, if you have an IDIQ out for bid right now and you are not already aligning with NIST 800-171, what does that mean? If the IDIQ is set for submission no later than 6/30/2017, that means that the review period will run through at least October with a likely award date in February 2018. So those who cannot attest that they are aligned with 800-171 as of now, are kind of hosed.
With 110 unique controls that must be met, including clearly defined Plans of Actions and Milestones (POAMs), are you ready to attest in writing that you are good to go as of January 1, 2018? It is right around the corner and many elements remain ambiguous as a result of what was not clarified at Industry Day. Let HEMISPHERE help your organization prepare to meet these unique challenges.
When Law Firms are on the hook
A recent case was brought to my attention that is noteworthy. An article published by James Kurz “Failure to use basic protections when transferring electronic files results in waiver of privilege” highlights the criticality in not underestimating risk exposure to law firms. What would normally be construed as almost “bullet-proof” methods for discussing a case under the banner of attorney-client privilege is coming under scrutiny when less than professional methods for protecting a client come into play.
When reviewing a checklist by the ABA, it is almost comical if not frightening, that the legal profession has such a low level understanding of what needs to be protected and how to do so. Back when the Panama Papers took place, I would have thought for sure, our phones would ring off the hook. Actually, quite the opposite. When engaging with law firms afterwards the general response was, “We are good. Our IT guy installed a firewall years ago”. Now as an American, you can make an argument “Hey, that’s Panama”. When you have a hubris that is so pronounced, even in the United States, the next time you engage an attorney you may want to ask the following:
- Years of experience?
- Handle cases like mine before?
- Percentage of cases with favorable ruling?
- How do you protect my information?
- Are there unique capabilities your firm will enable when electronically communicating with me (encryption, etc.)?
HEMISPHERE specializes in identifying what actually causes cyber risk and can support law firm’s best interests in the United States or abroad.
On May 30th, 2017, Charles Tindell interviewed HEMISPHERE’s CEO, Carter Schoenberg on cyber risk and cyber insurance. For the full interview, please see the Charles Tendell Show.
If you keep hearing about cyber risk and insurance and would like to learn more, check out the CSO Cyber Insurance Forum at: http://www.csoonline.com/blog/the-cyber-insurance-forum/