Cybersecurity

Making the Case for ‘Reasonable’ Cybersecurity

May 29, 2024
21 3 minutes read
Untitled design6
CISO Kjetil Kolbjornsrud Alamy.jpg


In litigation, specificity is crucial. “Beyond a reasonable doubt” is the standard of proof in criminal cases and prosecutors have to convince the jury that the evidence leaves no reasonable doubt about the defendant’s guilt. In civil cases, the standard is “preponderance of the evidence,” meaning the plaintiff must show that a fact is more likely than not true.

For regulators overseeing enterprise cybersecurity practices, the standard of proof is “reasonable cybersecurity,” or taking measures to protect data based on what a reasonably prudent person would do in similar circumstances. At the recent RSA Conference, the Center for Internet Security (CIS) released a detailed white paper on reasonable cybersecurity and how the concept intersects with privacy laws.

Reasonable cybersecurity is intentionally ambiguous and depends heavily on context. A cyber insurance carrier will often use a a questionnaire asking about whether various security controls are in place, and underwriters might or might not approve a policy. But if a breach occurs later, the insurer might dispute the claim, as happened in 2022 where Travelers Insurance won a lawsuit against International Control Services over misrepresented security controls.

Some standards, like the Payment Card Industry Data Security Standard (PCI DSS), are prescriptive, while others, like the European Union’s General Data Protection Regulation (GDPR), offer more flexibility. The EU law says an organization must make a “good faith effort to give people the means to control how their data is used and who has access to it. To accomplish this, you must transparently and openly provide them with the information they need to understand how their data is collected and used.”

According to the Cornell Law School website, the legal definition of “reasonable” means, in part, “Just, rational, appropriate, ordinary, or usual in the circumstances.” In reality, reasonable can mean almost anything corporate management wants it to mean.

Quantifying Cyber Risk

The board and the executive management define what makes sense from a cyber capability perspective for their organization in their business, says Charlie Lewis, partner at McKinsey. Lewis notes that quantifying cyber risk goes a long way to determining what is and is not reasonable, noting that Federal Reserve Vice Chairman for Supervision Michael Barr underscored the need to improve this nascent technology in remarks to the Conference on Measuring Cyber Risk in the Financial Services Sector back in January.

“Better data on cyber threats and vulnerabilities will enable us to identify and assess threats to banks and the financial system,” Barr said. “In addition, improved data on interconnectedness between financial institutions and service providers will help identify and measure the impact of an incident on the broader financial system.”

“When I talk about quantifying cyber risk, I can then set my risk tolerance in a way that lets me understand my control performance, and how well my capabilities are performing,” Lewis says. “That helps define reasonable.”

Along with the term reasonable, another word that Lewis says boards need to focus on is materiality. He notes the Securities and Exchange Commission’s recent rules changes help in defining materiality for disclosure purposes, adding that other regulatory requirements also identify specific required security. Knowing these required controls and how they are used in a corporate environment help develop a reasonable cybersecurity defense.

Enabling Security Controls

Curtis Dukes, executive vice president and general manager at CIS, agrees that balancing materiality with reasonableness is essential. In a recent 10K filing with the SEC, a company said its forensics investigation of a breach finds there was no material impact to earnings or operations. But while this statement met the regulatory requirement, it was said before the full impact of the breach could be determined. The initial results of a forensics investigation can be incomplete or simply wrong.

Meeting the standard for reasonableness is “highly subjective,” says Dukes. “It’s typically up to a judge or to a jury to decide [and] assess fault in some type of litigation for that.”

In order to eliminate much of the confusion, he says, security frameworks such as the NIST Cybersecurity Framework (CSF), CIS’ own Critical Security Controls (CIS Controls), and other security frameworks provide enterprises with the controls they need to meet the reasonableness legal requirement, along with providing the necessary controls for meeting regulatory requirements. Organizations that implement the frameworks also generally meet cyber insurance requirements.

Dukes adds that reasonable cybersecurity is a strong defense against artificial intelligence attacks as well. “If you have a good data, governance program prior principles in place, and you’re protecting data, using a set of cybersecurity best practices in the form of controls and underlying safeguard, then you’re largely mitigating the threat of artificial intelligence.”





Source

May 29, 2024
21 3 minutes read

Related Articles

Suspected cybersecurity attack at Ascension Health impacting Chicago hospitals

Suspected cybersecurity attack at Ascension Health impacting Chicago hospitals

May 10, 2024
Are We Ready for a Cyber Attack on Food and Farming?

Are We Ready for a Cyber Attack on Food and Farming?

April 23, 2024
COVID contact tracing company agrees to pay .7 million to PA for inadequate cybersecurity

COVID contact tracing company agrees to pay $2.7 million to PA for inadequate cybersecurity

May 2, 2024
Cybersecurity teams gear up for tougher challenges in 2024

Cybersecurity teams gear up for tougher challenges in 2024

May 28, 2024
Back to top button