They say that no good deed goes unpunished. And when it comes to cyber sharing, industry leaders are concerned that their only “reward” for helping the government identify and respond to cyberthreats may be a stiff rebuke from their regulators.
In a recent survey on cybersecurity by Mayer Brown, industry executives and corporate counsels polled revealed that concerns about regulators taking adverse enforcement actions against them has an impact on their willingness share cyberthreat information with authorities. Of those industry leaders that responded, 44 percent admitted that adverse regulatory actions have a moderate to significant impact on their desire to share cyber threat information with the government. Perhaps because of this fear, industry leaders also appear reluctant to develop strong cybersecurity ties with government agencies: 41 percent of responding leaders stated that their companies did not have a close relationship with one or more government entities that oversee cybersecurity issues, while 24 percent stated that they did not know whether their company had any such relationships.
As we wrote previously, President Barack Obama is trying to spur cyber sharing and promote collaboration between the private sector and the federal government. President Obama signed Executive Order 13691 last February, directing the Secretary of Homeland Security to “strongly encourage” development of Information Sharing and Analysis Organizations (ISAOs) to facilitate public and private sector cyber sharing. Executive Order 13691 came on the heels of the Government Accountability Office’s (“GAO”) 2015 High Risk List, in which the GAO cautioned that the stronger public-private partnerships are needed to strengthen critical cyber infrastructures.
Yet the responses of industry leaders reveal that the private sector is still nervous about accepting the Executive Branch’s overtures to share cyberthreat information, fearful that the government’s left hand won’t know – or possibly care – that its right hand is seeking industry cooperation. This concern is especially high regarding regulatory agencies with consumer protection missions like the Federal Trade Commission (“FTC”), the Federal Communications Commission (“FCC”), and the Consumer Financial Protection Bureau (“CFPB”).
The FTC and the FCC have been the biggest actors in the privacy and security space so far, and have shown their willingness to impose stiff penalties and long compliance programs on businesses and entities that suffer a cyber-event. Moreover, the FTC, FCC and CFPB have all proudly announced their plans to pursue privacy and data security violations in the future despite a lack of clear regulations and authority. There is consequently a genuine fear that regulators may use information that a company provided to the government about a security incident or breach against it in a future enforcement action.
There are currently a number of bills in Congress to promote private sector cyber sharing by shielding private entities from liability for monitoring or sharing cyberthreat information – most notably are the Cyber Information Sharing Act (CISA) (S. 754) and the National Cybersecurity Protection Advancement Act (H.R. 1731), both of which now await a vote in their respective chambers.
Are Cyberthreats Reshaping the Way You Do Business? Maybe They Should.
Cyber sharing and the spectre of regulatory actions are just two pieces of the vast cyberthreat puzzle that all companies need to pay attention to when conducting their business. As we have advised in the past, businesses should take steps to mitigate the risk of a cyber-event that would raise a regulator’s ire.
- Conduct Risk Assessments. All businesses should conduct formalized assessments to identify existing and potential security risks in their organization. A risk assessment can also help a business make informed decisions about their security risks and prioritize necessary security efforts.
- Employ Security Products and Practices. When it comes to cyberthreats – which includes everything from external hacking, distributed denial of service (DDoS) attacks, to viruses and malware – recent headlines have shown that no company is too small to be a victim. All businesses should utilize and deploy up-to-date security software and practices that are line with their industry and size to help limit the likelihood that a security incident that might lead to a regulatory action down the road. Such measures include: using strong passwords; firewalls and up-to-date antivirus software; limiting access to sensitive data; and developing a robust incident response plan.
- Get Cyber Insurance. Guarding against and responding to cyber-events is an increasingly expensive endeavor. And some companies have learned the hard way that more traditional insurance products do not necessarily cover the associated costs. As a consequence, cyber insurance has grown from a niche product to a must-have for virtually all companies in just a few years’ time. Because cyber insurance is a relatively new concept in the insurance market, insurance carriers are developing a wide-range of products, many of which vary greatly in terms of categories and scope of coverage, types of data covered and coverage triggers, and sub- and aggregate limits. Companies should identify knowledgeable cyber-insurance brokers and assess what types of cyber coverage are needed.
The federal government acknowledges it needs the cooperation of the private sector to help combat cyberthreats, and is trying to encourage cyberthreat information sharing between the public and private sectors. Industry leaders are wary of voluntarily sharing such information with the government because of their fear that regulators might use information provided to pursue enforcement actions against their companies.