Building a Healthy Cyber Security Ecosystem: A Three-Part Discipline
October 10, 2016
Data security breaches, legal requirements, customer obligations, demands by shareholders and boards of directors—these are but some of the variables that fuel enterprise concern with cyber security. It is a complex area, littered with critical, dynamic variables that can significantly impact or cripple (individually and collectively) every single aspect of your company's operations. Building and maintaining a healthy cyber security ecosystem is complex, but certainly achievable once the proper resources and discipline are put into place.
A "healthy" cyber security ecosystem is synonymous with one that is "reasonable." But what does that really mean? The implementation challenge begins with a definitional gap—the fact that there is no single law on point. This creates a partial legal and regulatory vacuum, one in which organizations need to build their own cyber security policies and procedures.
The good news is that regardless of the sector in which your organization belongs or the laws which directly apply to it, the reasonable cyber security ecosystem is defined as the product of three disciplines: (i) a thorough understanding of all the relevant laws, regulations, and industry standards; (ii) existence of information technology best practices, and (iii) syncing items (i) and (ii) with your corporate culture. Any gap in any of these components will dilute the effort and render the end result "unreasonable."
A key deliverable from a proper implementation of items (i) through (iii) is an Information Security Policy (ISP). Its importance cannot be overstated. The ISP serves both as a formal recordation of your company's cyber security posture and as the guiding operational principles that need to be systematically followed in order to ensure the "reasonableness" status is maintained.
Further good news here is that a reasonable cyber security ecosystem is not required to be flawless. Finding a defect is not fatal; it does not automatically render it "unreasonable." For example, a company that effectively implements monitor-test-validate data security processes can continue and maintain a "reasonable" status even when a system defect is identified.
Put differently, the law's focus is not solely on the existence of a "flaw." The law is more concerned with how it was patched. If it was completed promptly, and effective controls were adjusted to minimize recurrence, that is typically sufficient.
Maintaining post-breach operational resiliency is another important feature of maintaining a reasonable cyber security ecosystem. While this requirement is not driven by law, it is frequently driven by contract, even if not explicitly stated. For that to be in place you need to have good insurance.
"Good" insurance means your policy focuses on cyber security and is tailored to your specific operations. Relying on legacy, general instruments, such as Comprehensive General Liability (CGL), is a risky proposition as courts have yet to establish a good track record of providing clarity on data breach CGL coverage. Even favorable rulings (e.g., Travelers v. Portal Health Solutions) are not binding on other jurisdictions, and the fact patterns tend to be so specific as to render precedent to academic value.
Once the cybersecurity policy is provided, the real work begins and a diligent analysis is required prior to its purchase. Such policies are typically riddled with coverage exclusions. Failing to remove/amend them so they fit your company's distinct operational needs renders the policy irrelevant because your chance of recovering on a claim is less than slim.
To be effective, the diligent analysis requires experienced counsel. The attorney tasked with this review must: (i) possess a solid understanding of cyber security attack vectors; (ii) have an intimate familiarity with your ISP; and (iii) combine and leverage items (i) and (ii) to spot and remove or amend the problematic exclusions.
Data security breaches, customer demands, and management demands will continue to plague and test companies of all sizes and sectors. Legal, regulatory, and industry standards will also continue to become more complex. Fortunately, there is a solution: maintaining a reasonable cyber security ecosystem.
Published in the 2016 Cyber Security Summit Guide.
Eran Kahana is a technology and intellectual property attorney with extensive experience advising clients in domestic and international settings. His practice focuses on cyber security, patent, trademark, and copyright law. Eran serves as general counsel and on the Board of Directors for the Minnesota Chapter of InfraGard, a nonprofit partnership between the FBI and the private sector dedicated to the protection of critical infrastructure, and is a Research Fellow at Stanford Law School, where he writes and lectures on the legal aspects of using artificial intelligence.