Cyber Regulation, Legislation and Policy

As a CEO or Board member, you should understand how cyber policy and regulation could affect your business.   The following section provides overview information about the Executive Order on Cybersecurity, proposed cybersecurity regulation, and SEC cybersecurity disclosure guidance.

Executive Order on Cybersecurity 

Recognizing that U.S. critical infrastructure, such as power plants and pipelines, has become increasingly networked and vulnerable to cyber threats, the President issued an Executive Order (EO) on February 12, 2013 to improve U.S. defenses against cyberattacks. The EO focuses on the following initiatives:

  • Increased cyberthreat information sharing between government and U.S. companies, including incident reporting and more efficient information flow.
  • Creation of a common cybersecurity framework to house best practices, standards, maturity models and procedures.
  • Implementation of a voluntary program to promote the adoption of the framework.
  • Reviews of existing cybersecurity regulations and proposals for new regulations if needed; privacy and civil liberties protections are included in these reviews.

For the full text of the Executive Order: Critical Infrastructure Cybersecurity, click here

Cybersecurity Framework (final February 2014)

The White House tasked the National Institute of Standards and Technology (NIST) with the creation of a draft Cybersecurity Framework, which is expected to be in final form by February 2014 after extensive review by interested parties.  The Framework should be considered a structured guide to achieving an acceptable level of protection rather than a detailed “cookbook” of procedures and processes.  Each industry and business has a unique set of assets to protect, making a one-size-fits-all prescriptive approach impractical.  Thus, the framework will provide each organization with a general structure that can be tailored to fit its specific risk profile.  Components of the framework include:

  • Core functions (identify, protect, detect, respond and recover).
  • Categories and subcategories, such as access controls and detection processes. 
  • Implementation tiers (similar to maturity models used in a variety of disciplines).  Each of four tiers builds on the next one, starting at the “partial” tier (basic security), and eventually reaching the strongest state, the “adaptive” tier. 
  • Profiles containing specific responses to risks identified in core functions and categories.  Progress towards cybersecurity protection goals is measured at the profile (operational/implementation) level. 

The Cybersecurity Framework is initially focused on critical infrastructure, 85% of which is owned by private firms.  Over time at least some of the Cybersecurity Framework elements will be implemented by companies that supply infrastructure providers.  Going forward, more widespread adoption is expected.  The need for trusted relationships between business partners will further drive penetration into the workplace, since the Cybersecurity Framework provides a common benchmark for an organization’s cyber defense capabilities. 

Pointer for CEOs and Boards:  The Cybersecurity Framework should provide a ready-made structure for an effective security program and allow more time to be spent on risks and defenses specific to the company.  Stay tuned for the final Cybersecurity Framework.

To review the Preliminary Cybersecurity Framework click here.

Incentives

Since the Cybersecurity Framework is voluntary, the Administration will create a Voluntary Program to promote adoption of the Cybersecurity Framework.  Work is currently underway on how to incent companies to join the Voluntary Program.  As directed by the EO, the Departments of Homeland Security, Commerce and Treasury have identified potential incentives.  Some incentives could be put in place rather quickly; others will require additional action, such as legislation. 

On August 6, 2013, the White House put out a draft list of potential incentives including:

  • Cybersecurity Insurance
  • Grants
  • Process Preference
  • Liability Limitation
  • Streamlining of Regulations
  • Public Recognition
  • Rate Recovery for Price Regulated Industries
  • Cybersecurity Research

Click here for more details on the proposed incentives:

SEC Interpretative Guidance on Cybersecurity Disclosures
On October 13, 2011, the Securities and Exchange Commission (SEC) Division of Corporation Finance issued its first ever guidance regarding public company disclosure of cybersecurity risks and cyber incidents.  While the guidance does not change existing disclosure requirements, and is not legally binding, it does review specific SEC disclosure rules that may require public companies to describe cybersecurity matters and provides SEC guidance on what types of disclosure, if any, may be necessary in light of a company’s facts and circumstances.  The guidance sends the message that cyber incidents are of interest to investors, and companies must proactively assess cybersecurity risk and disclosure requirements, both before and after a cyber incident.  To read the complete SEC cybersecurity guidance click here.

The SEC cybersecurity disclosure guidance is under review.  In May 2013, SEC Chairman Mary Jo White asked her staff to evaluate the SEC’s current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary.

For an analysis of the disclosures made by public Fortune 1000 companies in 2012, see Willis Fortune 1000 Cyber Disclosure Report (August 2013) at http://blog.willis.com/downloads/cyber-disclosure-fortune-1000-2013/ and the Willis Fortune 500 Cyber Disclosure Study (May 2013) at  http://blog.willis.com/downloads/cyber-disclosure-fortune-500/.

CEO and Board Recommendations:  Companies that fail to make proper cyber disclosure could be subject to SEC enforcement actions or shareholder litigation.  CEOs and Boards must consider:

  • What constitutes a material cyber breach?
  • How will a material breach be disclosed to shareholders?
  • How are we engaging outside legal counsel?
  • Are legal risks being properly mitigated, including through the use of insurance?

Status Update - Cybersecurity Legislation

Over the last decade Congress has considered but not passed a number of legislative proposals for improving U.S. cybersecurity defenses.  Most recently the focus has been in two areas:  (a) safeguarding critical infrastructure, such as power plants, pipelines and communications networks, and (b) improving knowledge transfer between government and industry.

In February of 2013, Representatives Mike Rogers (R-Michigan) and C.A. “Dutch” Ruppersberger (D-Maryland) introduced the Cyber Intelligence Sharing and Protection Act (CISPA).  A prior version of this bill won House passage in 2012 but was not passed by the Senate.  Major features of the CISPA include:

  • Authorizing government agencies to share certain classified cybersecurity information with private companies; 
  • Allowing companies that have been attacked (successfully or not) to share their experiences without legal liability; and
  • Encouraging companies to share threat information with other firms and the government (voluntary basis only).

Even though recent security leaks by former NSA contractor Edward Snowden have slowed the momentum of the legislation, the CISPA sponsors and other supporters remain hopeful that the legislation can move forward this year or next.  The most recent version of CISPA states that compliance with the cybersecurity guidelines would be voluntary rather than mandatory.  As a result, CISPA now enjoys support from industry groups such as the U.S. Chamber of Commerce.  Some civil liberties organizations have voiced opposition, suggesting that CISPA would allow private industry to spy on citizens on behalf of the federal government.  The President’s executive order contains language to address these and similar concerns. 

Senate Intelligence Committee Chairwoman Dianne Feinstein (D-California), Jay Rockefeller (D-West Virginia), Carl Levin (D-Michigan), Barbara Mikulski (D-Maryland) and Chris Coons (D-Delaware) have introduced a Senate version of the bill (“Cybersecurity and American Cyber Competitiveness Act of 2013”).     

For more information please see: