Within the last year, multiple laws and regulations have significantly increased cybersecurity risk management responsibility for board of director members and C-level executives. Let’s review four of these developments to ensure you have a plan in place to meet the requirements.
- CPU Vulnerabilities Change the Economics and Security of Cloud vs On-Prem
The “Meltdown” and “Spectre” central processing unit (CPU) vulnerabilities can potentially expose organizations to significant new security risks. The security risks of hosted cloud servers exposing personally identifiable information (PII) and encryption keys to side-channel attacks on shared servers are causing Intel and hosting providers to scramble to address the vulnerabilities. Additionally, the current patches to fix these issues are dramatically slowing CPUs by 25-30% and changing the economics of hosted environments. Executives and board of director members need to evaluate how these new developments are being addressed by providers and in-house IT staff.
- New York State Regulations are Introducing a Wave of New Officer and Director Responsibilities
In March 2017, a new regulation went into effect in New York state that requires organizations to have a risk-based cybersecurity plan in effect by August 2017. While the SEC currently mandates that organizations need to implement “reasonable safeguards to protect a client’s nonpublic information,” the new law provides more clarity for organizations to mitigate cyber threats. Board of directors are now required to certify, on an annual basis, that the organization is complying with the requirements of the law. Certifying senior officer(s) and directors could be held personally liable for compliance shortcomings.
- Federal Law is Brewing Up New Security Expertise Requirements for Boards
The Federal government is also looking to raise cybersecurity accountability to the board of director level in commercial organizations. A bill recently introduced in the U.S. Senate would direct the Securities and Exchange Commission to issue rules that require all publicly-traded companies to disclose in their annual reports or proxy statements, whether any member of the board of directors has expertise or experience in cybersecurity. If no board member has the expertise or experience, the reporting company would need to describe what additional cybersecurity steps were taken by the persons responsible for identifying and evaluating nominees for any member of the board, such as a nominating committee.
This ruling will make it important for board of director members to familiarize themselves with the process their organization uses to identify cyber risks, as well as the controls to mitigate them. There are several widely used frameworks, such as ISO 27001, the Federal Risk Management Framework, and the NIST Cybersecurity Framework (CSF). While they each vary in process, their common goal is to provide an organization with a method to identify organizational risk, designate controls to address those risks and implement them to mitigate the cybersecurity risk in the organization to an acceptable level.
- Firmware Auditing in Florida: Now it’s the Law
The Florida Agency for State Technology adopted the NIST CSF into the Florida Administrative Code as the “Florida Cybersecurity Standards.” The significance of the adoption is that the NIST CSF and Florida Cybersecurity Standards expressly call for an “integrity verification tool that detects unauthorized changes to firmware.” The Florida Cybersecurity Standards also states that agencies must require their third-party vendors to comply with the agencies’ cybersecurity policies.
Most importantly, the Florida Cybersecurity Standards rule 74-2.003 states, “PR.DS-6: use integrity checking mechanisms to verify software, firmware, and information integrity. Application controls shall be established to ensure the accuracy and completeness of data, including validation and integrity checks, to detect data corruption that may occur through processing errors or deliberate actions.” Most organizations do not adequately address or monitor firmware updates, but now the Florida law will require organizations working with the state to have a cybersecurity program implemented.
To conclude, it is imperative to understand how the above changes will affect your organization. Every week there is a new breach reported and a new security risk identified. Having a plan in place to address these changes will prevent your organization from becoming a victim of a data breach and save your Board of Directors and executives from liability.