CEO of Axon Global: an expert in cyber ERM, and recognized as a leader in his field by the U.S. Secret Service, NACD and WSJ MarketWatch.
In a digital world where information is the new currency, safeguarding against new cyber threats necessarily includes safeguards against company and personal liability (see “SEC Charges CISO with fraud”). In our experience, there is only one set of tools backed by congressional law that provides effective risk mitigation against this type of threat.
The Cybersecurity Act of 2015 (CSA 2015), signed into law by President Barack Obama on December 18, 2015, emerged as a comprehensive response to the growing concerns surrounding cybersecurity and potential liability for collecting, transmitting and discussing actionable threat intelligence and indicators of compromise. This landmark legislation aimed to bolster the nation’s cyber defenses, enhance information sharing between the government and private sector and fortify critical infrastructure against cyberattacks. It’s a comprehensive “Quid pro Quo” program. In simple terms, a private sector company agrees to share certain threat information with the Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the government provides limited liability or other exemptions for helping the U.S. Government achieve visibility into what threats are attacking the front line of the U.S. supply chain and critical infrastructure.
Although special handling provisions apply, it is by far the single biggest Cyber Enterprise Risk Mitigation program that we have come across in 10 years. Here are six reasons why.
The Cybersecurity Act of 2015 addressed several key areas crucial for safeguarding against cyber threats and potential liability to companies and individuals.
Enhanced Information Sharing: One of the central features of the act was the promotion of voluntary information sharing between private entities and the federal government. Recognizing the importance of real-time intelligence in combating cyber threats, the legislation provided legal protections for companies sharing cybersecurity information with federal agencies and other private sector entities. This provision aimed to facilitate a collaborative approach to cybersecurity, allowing for the swift dissemination of threat indicators and defensive measures.
Protection Of Critical Infrastructure: Critical infrastructure, including sectors such as energy, finance, healthcare and transportation, is vital to the functioning of society. The Cybersecurity Act sought to strengthen the resilience of these systems against cyber threats by encouraging the adoption of best practices and standards for cybersecurity. It also established mechanisms for coordinating cybersecurity efforts between the government and private sector stakeholders within critical infrastructure sectors.
Cybersecurity Framework: The legislation endorsed the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a guideline for improving cybersecurity risk management. The framework provides a flexible and voluntary approach for organizations to assess and enhance their cybersecurity posture based on industry standards and best practices. By promoting the adoption of this framework, the Cybersecurity Act aimed to standardize cybersecurity practices across different sectors and promote consistency in cybersecurity efforts.
Protection Of Privacy And Civil Liberties: Recognizing the importance of balancing national security interests with individual privacy rights, the Cybersecurity Act included provisions to safeguard privacy and civil liberties. It required federal agencies to implement measures to protect the privacy and confidentiality of shared cybersecurity information and prohibited the use of such information for unauthorized purposes, such as surveillance activities unrelated to cybersecurity.
Cyber Threat Intelligence Integration Center (CTIIC): The act established the CTIIC, a federal agency tasked with integrating and analyzing cyber threat intelligence from various sources to provide timely and actionable insights to policymakers and relevant stakeholders. By centralizing the analysis of cyber threats, the CTIIC aimed to enhance the government’s ability to identify emerging cyber threats, assess their potential impact, and coordinate response efforts effectively. Today, the CTIIC is a fusion center within the Office of Director of National Intelligence.
The “Warranties” Offered By The Cybersecurity Act Of 2015: For those companies authorized to provide services to the private sector willing to operate under the CSA 2015 policies and guidelines, there are significant benefits backed by congressional law that should be integrated into every Cyber ERM risk mitigation platform for every private sector company. These include but are not limited to:
“• Liability protection for sharing Cyber Threat Indicators. 6 U.S.C. §1505(b). [referencing U.S. Federal Code]
• Exemption from state disclosure laws when Entity shares Cyber Threat Indicators or Defensive Measures with a State, tribal or local government entity. 6 U.S.C. 1503(d)(4)(B).
• Exemption from state regulatory use when Entity shares Cyber Threat Indicators or Defensive Measures with a State, tribal or local government entity. 6 U.S.C. § 1503(d)(4)(C).
• No waiver of privilege for sharing Cyber Threat Indicators and Defensive Measures. 6 U.S.C. § 1504(d)(1).
• Treatment as commercial, financial or proprietary information when so designated by Entity. 6 U.S.C. § 1504(d)(2).
• Exemption from Federal disclosure laws. 6 U.S.C. § 1504(d)(3).
• Ex parte communications waiver. 6 U.S.C. § 1504(d)(4).
• Exemption from federal regulatory use. 6 U.S.C. §1504(d)(5)(D).
• Exemption from federal antitrust laws. 6 U.S.C. §1504(e).”
If you are not partnered with a company that is able to put these into contractual commitments, you may be forfeiting the single biggest Cyber ERM tool available to the industry. At a minimum, it provides the Board, the C-suite and other executives the ability to have a conversation about material indicators of compromise without the associated liability. If you think “third-party attorney-client privileged conversations” have you covered, think again. See Data Breach Report in Capital One Litigation Not Privileged.
The enactment of the Cybersecurity Act of 2015 marked a significant milestone in the nation’s cybersecurity strategy, reflecting a recognition of the evolving cyber threat landscape and the need for coordinated action to address gaps in the current risk and liability landscape.
Looking ahead, the evolving nature of cyber threats and the associated liabilities will continue to present new challenges for cybersecurity policymakers and practitioners. Fortunately, we have discovered that The Cybersecurity Act of 2015 laid a foundation for the expansion of capabilities and “warrants that limit liability” to address this new world. Without these tools, a significant component of the Cyber ERM strategy would be absent.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?