“Privacy and data security in the global, data-driven economy are among the most important issues facing companies, consumers, policymakers and other stakeholders.” – Federal Trade Commissioner Julie Brill, in a keynote address before the March 2015 USCIB/BIAC/OECD Conference on “Promoting Inclusive Growth in the Digital Economy

2015 was a big year for speeches and advisories from government regulators on the topic of cyber risks. Here, we assess some of the major speeches, including key quotes and warnings, given by U.S. government officials and entities throughout the year.

The National Institute for Standards and Technology

While the National Institute for Standards and Technology (NIST) isn’t a federal regulatory agency, its work, such as the 2014 Cybersecurity Framework, is increasingly being used by regulators to determine whether organizations have a good handle on cyber risks.

On Feb. 12, 2015, Dr. Willie E. May, acting director of the NIST, stated, “Protecting our IT assets and data is both a technical and a leadership challenge.” Two months later, on April 17, May also explained the importance of cybersecurity thusly: “Cybersecurity is too important to be left to your IT department and operations groups. Cybersecurity must be a core issue for your corporate executive team. It can literally make or break your company.”

The Federal Trade Commission

In 2015, the Federal Trade Commission (FTC) continued to flex its enforcement muscles. On Jan. 28, Commissioner Julie Brill delivered her keynote address at Carnegie Mellon University in which she stated that “data security has been a priority of the FTC for more than a decade.”

She added, “The FTC obtained more than 50 consent orders against companies that, in our view, misrepresented how good their security was or failed to take reasonable measures to protect consumer data.” She made clear that “reasonable data security is essential to privacy. Put simply, there is no privacy without appropriate data security.”

On March 3, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, delivered a speech titled “The FTC’s Privacy and Data Security Priorities for 2015.” In it, she stated, “We are not the only federal agency working on privacy and data security issues, but we have the broadest jurisdiction in this area, and I think it’s fair to say we’ve been the most active and the loudest over the past two decades.”

The FTC’s warnings to business executives are clear. Yet it is also trying to assist organizations in improving their cybersecurity posture. Its September 2015 report “Start with Security: A Guide for Business” encourages businesses to learn from the lessons of the enforcement cases the FTC launched.

While most companies settle with the FTC, some fought hard against enforcement actions, even calling into question the organization’s authority. Following one particular landmark court ruling, FTC Chairwoman Edith Ramirez released an official statement.

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” she said. “It is not only appropriate, but critical that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The FTC’s Enforcing Privacy Promises page lists cases in which the FTC has taken action. It’s likely a list that your organization’s executives want to avoid being on.

The Securities and Exchange Commission

As previously reported, the Securities and Exchange Commission (SEC) also stepped up its warnings and enforcement actions regarding cyber risks at publicly traded companies. On Oct. 14, in a speech at the 12th Annual Boardroom Summit and Peer Exchange, SEC Commissioner Luis Aguilar warned that “boards also need to be aware of the increased regulatory focus on a company’s cybersecurity oversight.”

He reminded the audience of his 2014 cybersecurity comments at the New York Stock Exchange (NYSE), saying, “In today’s digitally interconnected society, the potential reputational harm that can envelop a company not prepared to respond to a crisis can quickly overtake the initial crisis as the most consequential threat to a company’s future outlook.”

In September 2015, the Office of Compliance Inspections and Examinations (OCIE), housed under the SEC, announced its 2015 Cybersecurity Examination Initiative, which aims to “assess cybersecurity preparedness in the securities industry.” One of the areas the OCIE focuses on is governance and risk assessment, including determining whether firms “are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business.”

It also wants examiners to “review the level of communication to, and involvement of, senior management and boards of directors.” As a legal advisory firm put it, while the OCIE’s efforts in 2015 had a helpful tone, firms under SEC oversight should be prepared to answer cybersecurity questions should the SEC come knocking.

The Federal Financial Institutions Examination Council

The Federal Financial Institutions Examination Council (FFIEC) is a body charged with promoting uniformity in the supervision of financial institutions. While its jurisdiction doesn’t extend beyond financial institutions, organizations would do well to review the FFIEC’s Cybersecurity Assessment Tool (CAT), released in June 2015.

In its Overview for Chief Executive Officers and Boards of Directors, the FFIEC stated that, using the tool, management could enhance oversight of the institution’s cybersecurity by doing the following:

  • Identifying factors contributing to and determining the institution’s overall cyber risk;
  • Assessing the institution’s cybersecurity preparedness;
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
  • Determining risk management practices and controls that are necessary or enhancement and actions to be taken to achieve the desired state; and
  • Informing risk management strategies.

While the FFIEC CAT isn’t mandatory for nonfinancial organizations, it provides a mechanism for organizations to assess the maturity of their cybersecurity program.


Regulators aren’t the only ones who have been sending messages about the importance of good management of cyber risks. In December 2015, Senators Jack Reed (D-RI) and Susan Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015. The proposed legislation directs the SEC to issue final rules requiring reporting companies:

  1. Disclose whether any member of the governing body such as the board of directors or general partner of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
  2. If no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.

Final Thoughts on Cyber Risks

2015 was a banner year for the awareness of and discussions about cyber risks. The stakes are high — a sentiment best described by May of the NIST, who said, “Strong cybersecurity is the key to strong bottom lines and a strong economy.”

More from Government

How the US Government is Fighting Back Against Ransomware

As ransomware-related payments surged toward $600 million in the first half of 2021, the U.S. government knew it needed to do more to fight back against cyber criminals. For many years, the Treasury's Office of Foreign Assets Control (OFAC) had a Specially Designated Nationals and Blocked Persons List (SDN List for people or organizations acting against the national security, foreign policy and sanctions policy objectives of the United States). But since 2021, the U.S. Department of Justice (DOJ) has upped…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…

A Response Guide for New NSA and CISA Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading. Many of the vulnerabilities in the report are not new. Instead, the report underscores a new level of awareness regarding how severe they are. Another important point to note is that these are…

The Cost of a Data Breach for Government Agencies

What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure. What about the cost of a data breach for government agencies? According to the most recent IBM Cost of a Data Breach report, each public…