2015: The Year Feds Warned About Cyber Risks
“Privacy and data security in the global, data-driven economy are among the most important issues facing companies, consumers, policymakers and other stakeholders.” – Federal Trade Commissioner Julie Brill, in a keynote address before the March 2015 USCIB/BIAC/OECD Conference on “Promoting Inclusive Growth in the Digital Economy”
2015 was a big year for speeches and advisories from government regulators on the topic of cyber risks. Here, we assess some of the major speeches, including key quotes and warnings, given by U.S. government officials and entities throughout the year.
The National Institute for Standards and Technology
While the National Institute for Standards and Technology (NIST) isn’t a federal regulatory agency, its work, such as the 2014 Cybersecurity Framework, is increasingly being used by regulators to determine whether organizations have a good handle on cyber risks.
On Feb. 12, 2015, Dr. Willie E. May, acting director of the NIST, stated, “Protecting our IT assets and data is both a technical and a leadership challenge.” Two months later, on April 17, May also explained the importance of cybersecurity thusly: “Cybersecurity is too important to be left to your IT department and operations groups. Cybersecurity must be a core issue for your corporate executive team. It can literally make or break your company.”
The Federal Trade Commission
In 2015, the Federal Trade Commission (FTC) continued to flex its enforcement muscles. On Jan. 28, Commissioner Julie Brill delivered her keynote address at Carnegie Mellon University in which she stated that “data security has been a priority of the FTC for more than a decade.”
She added, “The FTC obtained more than 50 consent orders against companies that, in our view, misrepresented how good their security was or failed to take reasonable measures to protect consumer data.” She made clear that “reasonable data security is essential to privacy. Put simply, there is no privacy without appropriate data security.”
On March 3, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, delivered a speech titled “The FTC’s Privacy and Data Security Priorities for 2015.” In it, she stated, “We are not the only federal agency working on privacy and data security issues, but we have the broadest jurisdiction in this area, and I think it’s fair to say we’ve been the most active and the loudest over the past two decades.”
The FTC’s warnings to business executives are clear. Yet it is also trying to assist organizations in improving their cybersecurity posture. Its September 2015 report “Start with Security: A Guide for Business” encourages businesses to learn from the lessons of the enforcement cases the FTC launched.
While most companies settle with the FTC, some fought hard against enforcement actions, even calling into question the organization’s authority. Following one particular landmark court ruling, FTC Chairwoman Edith Ramirez released an official statement.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” she said. “It is not only appropriate, but critical that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The FTC’s Enforcing Privacy Promises page lists cases in which the FTC has taken action. It’s likely a list that your organization’s executives want to avoid being on.
The Securities and Exchange Commission
As previously reported, the Securities and Exchange Commission (SEC) also stepped up its warnings and enforcement actions regarding cyber risks at publicly traded companies. On Oct. 14, in a speech at the 12th Annual Boardroom Summit and Peer Exchange, SEC Commissioner Luis Aguilar warned that “boards also need to be aware of the increased regulatory focus on a company’s cybersecurity oversight.”
He reminded the audience of his 2014 cybersecurity comments at the New York Stock Exchange (NYSE), saying, “In today’s digitally interconnected society, the potential reputational harm that can envelop a company not prepared to respond to a crisis can quickly overtake the initial crisis as the most consequential threat to a company’s future outlook.”
In September 2015, the Office of Compliance Inspections and Examinations (OCIE), housed under the SEC, announced its 2015 Cybersecurity Examination Initiative, which aims to “assess cybersecurity preparedness in the securities industry.” One of the areas the OCIE focuses on is governance and risk assessment, including determining whether firms “are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business.”
It also wants examiners to “review the level of communication to, and involvement of, senior management and boards of directors.” As a legal advisory firm put it, while the OCIE’s efforts in 2015 had a helpful tone, firms under SEC oversight should be prepared to answer cybersecurity questions should the SEC come knocking.
The Federal Financial Institutions Examination Council
The Federal Financial Institutions Examination Council (FFIEC) is a body charged with promoting uniformity in the supervision of financial institutions. While its jurisdiction doesn’t extend beyond financial institutions, organizations would do well to review the FFIEC’s Cybersecurity Assessment Tool (CAT), released in June 2015.
In its Overview for Chief Executive Officers and Boards of Directors, the FFIEC stated that, using the tool, management could enhance oversight of the institution’s cybersecurity by doing the following:
- Identifying factors contributing to and determining the institution’s overall cyber risk;
- Assessing the institution’s cybersecurity preparedness;
- Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
- Determining risk management practices and controls that are necessary or enhancement and actions to be taken to achieve the desired state; and
- Informing risk management strategies.
While the FFIEC CAT isn’t mandatory for nonfinancial organizations, it provides a mechanism for organizations to assess the maturity of their cybersecurity program.
Regulators aren’t the only ones who have been sending messages about the importance of good management of cyber risks. In December 2015, Senators Jack Reed (D-RI) and Susan Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015. The proposed legislation directs the SEC to issue final rules requiring reporting companies:
- Disclose whether any member of the governing body such as the board of directors or general partner of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
- If no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.
Final Thoughts on Cyber Risks
2015 was a banner year for the awareness of and discussions about cyber risks. The stakes are high — a sentiment best described by May of the NIST, who said, “Strong cybersecurity is the key to strong bottom lines and a strong economy.”