Don't wait for Congress to act on cyber security standardsReprints
Growing cyber threats to the U.S. infrastructure and business call for action now, and the National Institute of Standards and Technology Cybersecurity Framework that arose from a 2013 executive order is a ready-made way to tackle the issue. Mike Sayre, CEO of cybersecurity company NexDefense Inc., warns that if companies don't embrace adoption of the standards, Congress may force them to.
Congress enacted the Sarbanes-Oxley Act in 2002 in response to major financial scandals by corporations including Enron Corp., Tyco International Ltd., Adelphia Communications Corp., Peregrine Systems Inc. and WorldCom Inc. that resulted in significant losses, corporate failures, lawsuits and prison time for various executives.
For example, the WorldCom scandal cost investors $180 billion, 30,000 people lost their jobs, the company filed for bankruptcy, and CEO Bernie Ebbers was sentenced to 25 years in prison for fraud, conspiracy and filing false documents with regulators.
These scandals exposed substantial problems with financial reporting practices and internal controls of publicly traded companies at the time. To address those, Sarbanes-Oxley required top management to be held accountable for the accuracy of their financial data, to be more forthcoming in public disclosures of operational and financial risk, and to select and implement an internal control framework to annually assess and report on those controls.
Ten years before Sarbanes-Oxley passed, the Committee of Sponsoring Organizations of the Treadway Commission, established to study causes of fraudulent financial reporting, developed such an internal control framework. The voluntary Internal Control Integrated Framework provides guidance on effective internal controls, enterprise risk management and fraud deterrence. With just a few early adopters, including The Boeing Co., the framework didn't come into wide use until Sarbanes-Oxley basically made it a de facto law.
Equally urgently, another set of voluntary guidelines, the National Institute of Standards and Technology Cybersecurity Framework, was released in 2014. Arising from a presidential executive order, these guidelines accelerate the cyber security efforts of American enterprises in the face of increasing threats that reach far beyond a company's walls.
'Voluntary' cyber security framework
Recognizing the threat, President Barack Obama issued an executive order in 2013 to protect critical infrastructure, and thus national security, from cyber attacks.
According to the order, critical infrastructure refers to the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Under this definition, critical infrastructure includes power plants, oil and gas refineries and pipelines, defense systems, public transportation, chemical and pharmaceutical manufacturing plants, financial institutions, health care facilities and more, involving a significant number of U.S. companies.
Within the executive order, President Obama selected the director of the National Institute of Standards and Technology to develop a voluntary cyber security framework. After 10 months of collaborating with more than 3,000 security professionals, the NIST Cybersecurity Framework was published with standards, guidelines and practices to help organizations proactively mitigate cyber risk. Building from those standards, guidelines, and practices, the framework provides a common taxonomy and mechanism for organizations to:
• Describe their current cyber security posture
• Describe their target state for cyber security
• Identify and prioritize opportunities for improvement
• Assess progress toward the target state
• Communicate cyber risk to internal and external stakeholders
Though the financial reporting framework had only a handful of early adopters, major corporations are lining up behind the cyber guidelines. Among them, American International Group Inc., Apple Inc., Bank of America Corp., Intel Corp., Chevron Corp., Pepco Holdings Inc., QVC Inc. and Walgreen Co. have adopted all or parts of the framework. Many also are requiring their suppliers to do the same.
But adoption is not accelerating as quickly as the threat landscape, which is cause for concern. While the North American Electric Reliability Corp., backed by the Federal Energy Regulatory Commission, has issued enforceable cyber security regulations for the energy sector to protect that portion of our critical infrastructure with significant penalties for noncompliance, other industries operate with no regulation at all.
While government-issued regulations, like those in France and Germany that hold the owners and operators of critical infrastructure legally accountable for maintaining strict cybersecurity standards, are not applicable to the U.S., there is a growing demand on organizations to take cyber risk more seriously. Adoption of the cyber security framework is ideal for organizations to assess that risk and develop comprehensive cyber security programs. It keeps the burden of responsibility in their control, at least for the time being.
Is cyber security legislation needed?
Like the COSO Framework, the NIST guidelines began as voluntary. But full adoption of the cyber security framework cannot wait 10 years for a law similar to Sarbanes-Oxley to come along. Cyber threats are too widespread, broad and potentially costly to address them reactively.
Even without a related congressional action, the NIST Framework can easily be accelerated into de facto law. Here's why:
• A high level of collaboration between the government and industry cyber security experts in developing the framework
• The increasing frequency of cyber attacks putting national security and public safety at risk
• The mounting motivation and sophistication of hackers worldwide
• Potential disruption and/or devastation of successful attacks
• Early adoption by major companies in several industries
In addition, the NIST framework provides information that would be needed for future auditing and reporting requirements.
Many now admit that Sarbanes-Oxley and the financial reporting framework did help improve their businesses. In fact, Financial Executives Research Foundation released a 2005 survey revealing that 83% of large company chief financial officers said the act had increased investor confidence, and 33% stated it reduced fraud.
Midsize and large businesses should expect the same from the NIST framework, making critical infrastructure safer, more secure and reliable.
The financial investment of adopting the cybersecurity tools and processes within the NIST Cybersecurity Framework is well worth it, and compliance officers, board governors and financial planners need to understand this as part of their risk mitigation strategy.
By doing so, U.S. enterprises will ensure the safety and security of millions of assets and people — perhaps without the involvement of the federal government.
Mike Sayre is the co-founder, president and CEO of NexDefense Inc., a cyber security company for industrial control systems. Contact him at 404-600-1117 or firstname.lastname@example.org.