Cyber Regulation, Legislation and Policy
As a CEO or Board member, you should understand how cyber policy and regulation could affect your business. The following section provides overview information about the Executive Order on Cybersecurity, proposed cybersecurity regulation, and SEC cybersecurity disclosure guidance.
Executive Order on Cybersecurity
Recognizing that U.S. critical infrastructure, such as power plants and pipelines, has become increasingly networked and vulnerable to cyber threats, the President issued an Executive Order (EO) on February 12, 2013 to improve U.S. defenses against cyberattacks. The EO focuses on the following initiatives:
For the full text of the Executive Order: Critical Infrastructure Cybersecurity, click here
Cybersecurity Framework (final February 2014)
The White House tasked the National Institute of Standards and Technology (NIST) with the creation of a draft Cybersecurity Framework, which is expected to be in final form by February 2014 after extensive review by interested parties. The Framework should be considered a structured guide to achieving an acceptable level of protection rather than a detailed “cookbook” of procedures and processes. Each industry and business has a unique set of assets to protect, making a one-size-fits-all prescriptive approach impractical. Thus, the framework will provide each organization with a general structure that can be tailored to fit its specific risk profile. Components of the framework include:
The Cybersecurity Framework is initially focused on critical infrastructure, 85% of which is owned by private firms. Over time at least some of the Cybersecurity Framework elements will be implemented by companies that supply infrastructure providers. Going forward, more widespread adoption is expected. The need for trusted relationships between business partners will further drive penetration into the workplace, since the Cybersecurity Framework provides a common benchmark for an organization’s cyber defense capabilities.
Pointer for CEOs and Boards: The Cybersecurity Framework should provide a ready-made structure for an effective security program and allow more time to be spent on risks and defenses specific to the company. Stay tuned for the final Cybersecurity Framework.
To review the Preliminary Cybersecurity Framework click here.
Since the Cybersecurity Framework is voluntary, the Administration will create a Voluntary Program to promote adoption of the Cybersecurity Framework. Work is currently underway on how to incent companies to join the Voluntary Program. As directed by the EO, the Departments of Homeland Security, Commerce and Treasury have identified potential incentives. Some incentives could be put in place rather quickly; others will require additional action, such as legislation.
On August 6, 2013, the White House put out a draft list of potential incentives including:
Click here for more details on the proposed incentives:
SEC Interpretative Guidance on Cybersecurity Disclosures
The SEC cybersecurity disclosure guidance is under review. In May 2013, SEC Chairman Mary Jo White asked her staff to evaluate the SEC’s current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary.
For an analysis of the disclosures made by public Fortune 1000 companies in 2012, see Willis Fortune 1000 Cyber Disclosure Report (August 2013) at http://blog.willis.com/downloads/cyber-disclosure-fortune-1000-2013/ and the Willis Fortune 500 Cyber Disclosure Study (May 2013) at http://blog.willis.com/downloads/cyber-disclosure-fortune-500/.
CEO and Board Recommendations: Companies that fail to make proper cyber disclosure could be subject to SEC enforcement actions or shareholder litigation. CEOs and Boards must consider:
Status Update - Cybersecurity Legislation
Over the last decade Congress has considered but not passed a number of legislative proposals for improving U.S. cybersecurity defenses. Most recently the focus has been in two areas: (a) safeguarding critical infrastructure, such as power plants, pipelines and communications networks, and (b) improving knowledge transfer between government and industry.
In February of 2013, Representatives Mike Rogers (R-Michigan) and C.A. “Dutch” Ruppersberger (D-Maryland) introduced the Cyber Intelligence Sharing and Protection Act (CISPA). A prior version of this bill won House passage in 2012 but was not passed by the Senate. Major features of the CISPA include:
Even though recent security leaks by former NSA contractor Edward Snowden have slowed the momentum of the legislation, the CISPA sponsors and other supporters remain hopeful that the legislation can move forward this year or next. The most recent version of CISPA states that compliance with the cybersecurity guidelines would be voluntary rather than mandatory. As a result, CISPA now enjoys support from industry groups such as the U.S. Chamber of Commerce. Some civil liberties organizations have voiced opposition, suggesting that CISPA would allow private industry to spy on citizens on behalf of the federal government. The President’s executive order contains language to address these and similar concerns.
Senate Intelligence Committee Chairwoman Dianne Feinstein (D-California), Jay Rockefeller (D-West Virginia), Carl Levin (D-Michigan), Barbara Mikulski (D-Maryland) and Chris Coons (D-Delaware) have introduced a Senate version of the bill (“Cybersecurity and American Cyber Competitiveness Act of 2013”).
For more information please see: