WASHINGTON — Both federal and state regulators are struggling to address cyber risk issues, said speakers at the first Business Insurance Cyber Risk Summit in Washington on Thursday.
At the federal level, much of the focus has been on the U.S. Department of Commerce's National Institute of Standards and Technology's final framework for improving cyber security, which suggests voluntary standards that can potentially help companies mitigate legal liability from data breaches and other cyber threats.
The guidelines released earlier this year, were in response to President Barack Obama's executive order last year calling for addressing the “repeated cyber intrusions” that are “one of the most serious national security challenges we must confront.”
Andrew J. Grotto, senior adviser for technology policy at the U.S. Department of Commerce, said NIST had set out to develop guidelines, created in partnership with the federal government, that are based on a consensus of best practices that are voluntary and flexible.
Mr. Grotto described the framework as a starting point “especially for organizations that are less mature in terms of their awareness and ability to manage risk to develop best practices to address those risks. It's not a silver bullet,” he said.
Tom Finan, senior cyber security strategies and counsel with the Strategy and Policy Office at the U.S. Department of Homeland Security, discussed the role of insurance in addressing cyber risk, and the possibility of policyholders who follow best practices eventually being able to benefit from lower insurance rates.
However, he said, in many cases, the business case for investing against cyber risks has still not been made. Company management often continues to treat cyber risks as an “IT problem,” he said, and the key reason appears to be that cyber risk has still not been reduced to terms non-technical business people can understand in terms of its cost and the potential damage to reputation.
During a session on the state legislative and regulatory framework, Thomas M. MacLellan, director of the Homeland Security and Public Safety Division at the Washington-based National Governors Association, said his association has made five recommendations to address the issue of cyber security: establish a framework to address the issue; conduct risk assessments and allocate resources accordingly; implement continuous practices to monitor the issue; insure that states maintain current security methodology and business disciplines; and focus on the “weakest point” which is the people, and creating a “culture of risk awareness.”
Gene Fishel, senior assistant attorney general, and chief, computer crime section, for the Virginia attorney general's office in Richmond, Virginia, said in that in his state, the cyber crime realm his office covers includes computer intrusion, hacking fraud, and ID theft and email crimes.
This includes enforcement of data breach notification laws, he said, noting breaches occur on almost a daily basis, although three-quarters of them involve small businesses.
“Our first goal as an enforcement authority is to make sure that if a company or organization has suffered a data breach that the consumers or people impacted are notified as quickly as possible,” he said.
There is not necessarily a mindset to punish the organization, he said. “We just want to make sure the laws are complied with and the notification goes out.”
Aaron R. Lancaster, counsel at law firm Dickstein Shapiro L.L.P. in Washington, discussed last month's ruling in Federal Trade Commission v. Wyndham Worldwide Corp. et al. in which a U.S. District Court judge allowed the Federal Trade Commission to sue the Parsippany, New Jersey-based Wyndham hotel chain on grounds it failed to adequately protect customers' personal information.
In addition, a medical laboratory that closed in January, Atlanta-based LabMD Inc., has sued the FTC, accusing it of an “unconstitutional abuse of government power” for its investigation of its data security practices, he said.
Mr. Lancaster said “most states have broad consumer protection statutes that are modeled after the FTC,” with the “same ability to enforce unfair and deceptive trade practices that the FTC has.”