Brian Thomas, CISA, CISSP, QSA, Partner-in- Charge, IT Advisory Services, Weaver and Tidwell, L.L.P.
The recent Marriott/Starwood data breach, which affected almost 400 million people, was just the latest in a year of bad news for CIOs. The year 2018 opened with new cybersecurity guidance from the Securities & Exchange Commission, and closed with an announcement that the agency had investigated nine public companies—all victims of email-related payment fraud —for failing to have adequate cybersecurity-related internal controls in place. Each of those companies lost at least $1 million to the frauds, and two lost more than $30 million each. The investigation concluded these control failures violated SEC rules requiring public companies to provide reasonable assurance that transactions are executed, and access to company assets is permitted, only with management’s authorization.
The SEC did not take enforcement action against these companies. Nevertheless, the SEC chose to publicize its investigation as a lesson to other companies: make sure you have adequate processes and safeguards in place to protect your assets against cyber threats.
Holding public companies accountable for maintaining adequate IT protections is a priority of the SEC’s National Exam Program, and CIOs can expect to see more high-profile investigations and major penalties in the future. The agency says, “The SEC uses its civil law authority to bring cybersecurity-related enforcement actions that protect investors, hold bad actors accountable and deter future wrongdoing.”
As an example, in September 2018 the SEC censured and fined Voya Financial Advisors $1 million for violating the Safeguards Rule and the Identity Theft Red Flags Rule. This was the SEC’s first-ever enforcement using these regulations. The data breach originated with a phishing scam, in which hackers called Voya pretending to be contractors and asked that passwords be reset. They then used the new passwords to access almost 6,000 Voya customers’ confidential information. The SEC violations were that, although the company had an identity theft protection program, its requirements were not applied to third-party vendors, and that Voya staff and contractors were not adequately trained. Finally, the company did not have adequate procedures in place to meet Red Flags Rule requirements to detect questionable accounts or transactions.
CIOs who have implemented a cyber risk management program with the latest elements can rest knowing they have put their organization in the best possible position
Tucked among the news of breaches and fines, there is also good news: Following best practices really does make a difference. Take the Starwood database breach, for example. Hundreds of millions of user accounts were compromised, with names and other identifying information stolen. More than five million unencrypted passport numbers were exposed. But the 8.6 million hacked payment card numbers were all encrypted, and Marriott has no reason to believe that the thieves were able to break the encryption. The success of Marriott’s payment card encryption underscores the importance of continuing to protect data at rest, not just during transmission. The breach is still serious, but it wasn’t as damaging as it could have been.
Lawmakers and regulators around the globe are responding with new data privacy and cybersecurity laws, including the EU’s GDPR, the NYDFS cyber regulation, and California and Canadian data privacy laws, to name a few. In addition, insurers are taking note. The questionnaires that CIOs must submit to insurers underwriting cyber liability policies are getting a lot more sophisticated as insurers attempt to evaluate their risk. In addition, as a result of these regulations and cyber risks, larger organizations are beginning to impose requirements on their suppliers.
Now is the time to implement a comprehensive cyber risk management program (CRMP). Attempting to address individual regulations, contractual requirement and best practices is daunting, to say the least. But a comprehensive CRMP should be designed to ensure these considerations are continually monitored and addressed. How?
• Appoint a Chief Information Security Officer (CISO) who has legitimate qualifications in education and experience
• Choose a framework for aligning your CRMP, such as the NIST Cybersecurity Framework (CSF) or ISO 27001
• Continuously monitor trends with security tools and services to identify best-in-class solutions that can improve your security capabilities
• Establish a multi-year roadmap to build and mature your CRMP over time
• Maintain an inventory of critical information and the systems on which that data resides
• Test your organization by performing regular security assessments of various types: vulnerability assessments, penetration testing, social engineering/phishing exercises, etc.
• Identify your third party data risk: assess any vendors who have access to your data. Consider requiring certifications (ISO 27001) or examination reports (SOC 2 or PCI) if warranted based on the data are at risk
• Develop and test incident identification and monitoring capabilities and incident response procedures
Although there is no single method for managing all cyber threats, and doing everything above won’t keep you from having to do additional work when new regulations are passed, CIOs who have implemented a cyber risk management program with these elements can rest knowing they have put their organization in the best possible position to deal with increasing threats.