It seems like a good idea to share information with other people in your sector and even government agencies so that they can spread the alarm about cyber breaches at your company, school, or organization. A great example of that was a recent breach at digital identity management services provider Okta which reported that some of its customers were targeted and it probably happened because an employee logged into a personal Google account on a company laptop.
In our October newsletter we spoke about the need for being transparent about breaches and that such cooperation is the basis of ISACs, which are set up for that very purpose, to alert others in your industry sector about cyber breaches. Another recent example was Mr. Cooper, one of America’s largest nonbank mortgage loan servicers, which suffered a cyberattack sometime during the last week in October and duly reported it via an 8K report to the U.S. Securities and Exchange Commission (SEC). In a sidebar to that report, it was reported that the Federal Trade Commission (FTC) recently finalized a rule requiring non-bank financial institutions to notify the agency within 30 days of a data breach affecting 500 or more people. That ruling is expected to go into effect next year. It seems like these companies are doing the right thing by reporting breaches to the right agencies. However, there can be downsides. As we detailed in our last newsletter, there was the case of the law firm of Covington and Burling which suffered a breach and the SEC wanted access to a great deal of information, much of which the law firm handed over. However, the firm pushed back on certain information that they considered attorney/client privilege. In that case the courts ruled that Covington had to provide most, but not all the requested information. Eventually the court decided and the decision moves on, possibly to an appeal. Not only can the rules be onerous in certain circumstances, but the number of agencies and regulations continues to grow.
A recent article in The Washington Post cited some examples. The American Association of Railroads say they must report to two different agencies - the Transportation Security Administration and the Securities and Exchange Commission, and each have different reporting deadlines when someone suffers a major cyber incident — 24 hours and four days, respectively. “These competing time frames and definitions can create unnecessary confusion and burden on those seeking to comply,” the association wrote. In another case, by some estimates, the aviation sector is subject to 11 different proposed, mandatory and voluntary incident reporting rules.
Last year President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires entities in a critical infrastructure sector (which can include financial institutions) to report to the Cybersecurity and Infrastructure Security Agency (CISA) certain cyber incidents within 72 hours and ransomware payments within 24 hours of the payment. At the same time the SEC published several proposed rules that would require various regulated entities to disclose certain cybersecurity-related incidents. The FTC also tossed its hat into the ring with its aforementioned rules and issued a proposal to require covered financial institutions to notify the FTC within 30 days after discovering a data breach affecting or reasonably likely to affect at least 1,000 consumers (further amended to 500 or more).
It seemed straight-forward. Enact a law that requires entities in critical sectors to report breaches to a government agency, like CISA, that is particularly attuned and set up to deal with cybersecurity issues. However, If you’re a bank you not only have to report to CISA, the SEC, and now possibly the FTC, you also have reporting requirements and regulations from the Federal Reserve, the FDIC (Federal Depository Insurance Corp), or the OCC (Office of the Comptroller of the Treasury) depending on who is your primary Federal regulator.
The question now is who is in charge and who determines what, when and how much information should be disclosed and to whom? In many cases, it’s a government agency like CISA, which seems to be doing a good job of coordinating information and trying to do it in some cases on a “voluntary” basis, where it might not have official regulatory oversight. But even at that, people are pushing back, and some in Congress are saying it’s too much and agencies like CISA and the SEC shouldn’t have so much power. In fact, there was a recent resolution introduced in Congress that would reverse the SEC rule.
Throw several different reporting agencies into the mix, not to mention state regulations and your customers, and you can see why companies and some organizations are beginning to push back.
Now some groups are saying we need to create “another agency” or office to oversee cyber rules. A clearinghouse perhaps where the federal government might create an entity to oversee the burgeoning number of conflicting cybersecurity regulations, some industry groups told the Office of the National Cyber Director in October. According to reports in the Washington Post, the U.S. Chamber of Commerce was one of several organizations to recommend creating an office of some kind — in the chamber’s case, within the White House — to oversee cyber regulations.
In that same article by Tim Starks, he notes that industry groups see the need for such an office as they believe leadership on this issue is lacking and regulations are confusing. ““It is not clear to industry which agency in the federal government acts as the clearinghouse for cyber-related regulations and requirements,” the group argued. “Multiple authorities are issuing guidance and requirements, often simultaneously and frequently overlapping in coverage.”
This summer, the White House tried to create some order when they released a 57-page National Cybersecurity Strategy Implementation Plan (NCSIP). That statement is the Executive Branch looking to bolster cybersecurity while also presenting detailed strategies about how this should or might take place across the private and government sectors.
Last month, the World Economic Forum issued a response to the White House’s request to harmonize cybersecurity regulations. It notes that this is a global problem and that “Government agencies worldwide that create cybersecurity requirements for industry, including those of the US, frequently adopt distinct approaches to address identical or similar sets of cybersecurity challenges due to the absence of a global consensus. This leads to complex, industry and sector agnostic, fragmented, inconsistent, and sometimes conflicting regulations, which lack and prevent mutual interoperability.”
Also: “The evolution of the cybersecurity threat landscape and regulators’ reflexive response to tighten regulations exacerbates the problem. Organizations are forced to divert limited resources to address regulatory compliance challenges instead of focusing on their cybersecurity posture. In addition to a lack of consensus on cyber requirements, a lack of consensus exists on who or what is in the scope of these regulations (e.g., varying critical infrastructure sector designations, different regulations bringing various systems into scope, etc.”
Companies, then, are in a bit of a bind, and one that the new White House strategy highlights and complicates. While an increasingly digitized world – across the board -- clearly requires strict security protocols that are constantly refreshed and reimagined, they are also responsible to stakeholders in a way that government agencies are not. While some of the regulations are mandatory (across government sectors, for example), others are voluntary, which can lead to gray areas for law firms, banks and possibly government contractors, just to name a few.
Although there is widespread support for these strategies and efforts, it remains to be seen who implements these protocols, who will put them in place – and who will provide oversight across all government and industry sectors. At least, however, there appears to be a comprehensive document in place that can provide a springboard for action and accountability, even if the question of regulation and how deep it does or doesn’t go remains to be answered fully.
In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyber attack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.
CYRIN teaches you with hands-on real-world training. It’s the closest you’ll get to understanding the tools and techniques you need to prepare, defend, and recover from an attack. It’s not a book, it’s not a lecture, you learn by doing, it’s the best teacher.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!