Insights blog.

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.

In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?

In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.

In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.

In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet,  just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.

Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws.  These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.

There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.

There’s no shortage of challenges when it comes to securing the critical infrastructure. These are very complex, interconnected systems, and highly motivated, potentially well-trained and funded adversaries target them. And should critical infrastructure systems become unavailable, whether electrical, financial, or communications systems – every public sector organization and private enterprise that relies on them is also in danger of being severely hampered, or even shut down.

When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?

Last week I had the opportunity to be in San Francisco for the RSA conference and Metricon 9. The discussion at the conference and what is now coming out in news reports is that this was the largest RSA event to date in terms of attendance and exhibitors. I agree with what Morgan Stanley cited in their RSA Conference takeaways report: the attention that recent high profile breaches have received contributed to the increased interest from attendees. Cyber risk has finally become a board level issue. The heightened awareness and consequently anticipated increases in security budgets evidence the recognition that organizational cyber security performance is a critical business issue.

With so much of today's business processes dependent on a complicated network of suppliers, contractors, and service providers, the problem of determining liability for data privacy and protection is quickly coming to a head. When sensitive data is hosted in a provider's infrastructure, is that provider or its customer responsible for protecting that data? If a company entrusts a partner with a customer database and that partner lets the database be compromised, which company is responsible for notifying those customers and who will end up footing the bill for legal damages?

In October, the Office of the Comptroller of Currency (OCC) issued new guidance for banks regarding third party risk management, listing one of their reasons for issuing these guidelines as failure by the banks "to perform adequate due diligence and ongoing monitoring of third-party relationships." Current means of assessing third party security risk include annual audits and questionnaires, tools that are useful but which fail to provide the continuous, evidence-based assessments banks need to truly understand their vendor risk, especially when it comes to security risk management.