Interesting changes are happening in the world of cybersecurity legislation. Notably, these changes are impacting the role of the chief information security officer (CISO). No longer are CISOs just the sacrificial lamb (read: scapegoat) when a company suffers a data breach.
The changes revolve around newly minted regulations in the New York State Department of Financial Services along with a proposed Senate bill, The Cybersecurity Disclosure Act of 2017 S.536.
The Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 took effect March 1, 2017. One of the significant things this regulation does is define a cybersecurity event as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System”. Note that it does not just talk about data exfiltration, but goes so far as to say any successful or unsuccessful attempt.
I speak at many events where the audience is predominately CISOs. I’ve noticed that they’ve been very careful to delineate between an “event” and a “breach” because this gives them -- and the company’s general counsel -- the ability to put clear parameters around when they must enact their incident response (IR) plan and potentially provide notifications of data leaving their control.
Based on this definition included in the regulation and in Section 500.17 Notices to Superintendent, these regulations will likely require increased notifications in the wake of a possible breach. Another unique aspect of this regulation is that it mandates the naming of a qualified CISO. This CISO will be required submit a written report at least annually to the Board of Directors, their equivalent governing body, or a Senior Officer. This report must include cybersecurity risks, overall effectiveness of the program, and any material cybersecurity events. There are many other requirements of this regulation regarding risk assessment and testing as well.
The Cybersecurity Disclosure Act of 2017, which has been proposed before the Senate, brings the mandate of cybersecurity acumen to a company’s board of directors. If passed, this law will require that publicly traded companies include in their annual filings and proxy statement a disclosure on whether any member of the board or appropriate governing body has cybersecurity expertise or experience. If the board doesn’t have a member with that expertise, the company must disclose what efforts have been taken to identify and evaluate new nominees who possess the expertise to join the board.
Even though this requirement won’t go in to effect until a year after it is passed, it is very surprising that the federal government is trying to make this a requirement. It speaks very strongly to how important they feel this expertise is to the operations of a public company.
While these laws/regulations are only applicable to somewhat narrowly defined groups in the grand scheme of things, they are steps in the right direction by ensuring that corporations are being good stewards when it comes to cybersecurity. Additionally, many organizations are being proactive and have already enacted many of the items contained in these regulations even though they don’t directly apply.
I believe these regulations are just a few examples of what’s to come over the next several months as cybersecurity remains a critical issue we must address. With that said…CISOs and potential CISOs, get used to wearing a suit because you are moving up in the world!
-- Fidelis Senior Vice President of Cybersecurity Services Mike Buratowski