Cybersecurity Disclosure: The Emphasized Need for Regulatory Framework

By: C. Caden, K. Kuley, N. Naour, M. Nash, K. Uppal

Cloud Computinga model for enabling ubiquitous, convenient, on-

demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with

minimal management effort or service provider interaction. -National Institute for Standards and Technology

or more simply…“providing large-scale computing resources over the internet”

Cybersecurity"Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from

occurrences that misalign de jure from de facto property rights

Increased use of IT and Cloud Computing

Cybersecurity is not Just an IT IssueCybersecurity risk management is an enterprise-wide issue, should not be left to IT department

Management’s reliance on IT General controls can impose negative effects, if controls fail.

Governance of Enterprise Security: Carnegie Melon CyLab 2012 Report

External Analysis- Economic

External Analysis- Legal“The history of cybersecurity law reflect a mix of legal areas and sources: cybercrime,

cyber warfare, national security (protection of critical infrastructure), legislative statutes, and presidential directive (Flowers et al, 2012).”

Cybersecurity Law compared with: Law Enforcement and the Law of Armed Conflict Environmental Law Antitrust Laws

Cartels, Price FixingProducts Liability

Criminal Negligence

External Analysis- Political

Internal AnalysisDisclosure cannot be so detailed and specific that the disclosure itself

would harm the organization's cyber security.Knowing when to disclose and what is materialDownstream disclosures

Existing Frameworks/GuidelinesCF DG 2- Corporate Financial Disclosure Guidance 2

NIST - National Institute of Security and Technology

HIPAA - Health Insurance Portability and Accountability Act

COBIT 5 - Control Objectives for Information Technology

CFATS-Chemical Facility Anti-Terrorism Standards

GLBA - Gramm- Leach - Bliley Act

ISO - International Standards OrganizationIEC - International Electrotechnical Commission .

Existing Guideline ~ CF DG 2Corporate Financial Disclosure Guidance Topic 2 (CF DG 2)

No specific obligation, falls under other obligations

Boiler plate

When to disclose

Risk Factor (10K)

Disclose in the MD&A if the cost/consequences are material

Remediation, Prevention, litigation, Qualitative

Legal Proceedings

Financial Statements

Existing Guideline ~ CF DG 2 ~ RealityMore of a rule

Materiality does not matter

Boilerplate disclosures

Lack of guidance

Existing Frameworks - HIPAAHealth Insurance Portability and Accountability Act - Law governing health care organizations to ensure patient health info remains confidential.

2003 Privacy Regulations:1. Enact reasonable safeguards that protect the privacy of patient-identifiable information in any form whether it

is electronic, written or oral. For example, one such step may be establishing policies that patient information is not to be discussed in public areas.

2. Hospitals must also implement minimum necessary policies and procedures that limit how much protected health information is used, disclosed and requested for certain purposes.

3. Provide training for staff on privacy procedures. (Yoder, 2003)

Advantages - Goal is to inform, Mandatory

Disadvantages - Limited to Healthcare entities, Limited Access Controls, inadequate monitoring and auditing of information systems, Lack of security incident and disaster recovery plan

Cybersecurity Framework 1.0- NISTAn agency within the U.S Department

of Commerce, the National Institute of Science and Technology (NIST) conducts extensive research in measurement science and establishes standards in order to promote economic security.

The framework core component consists of these core functions: identify, protect, detect, respond, recover. The framework correlates each function with industry standards, including categories and subcategories for each function.

Lack of Obligatory Framework

The main issue to be discussed is the lack of an overarching formal framework or standard in regards to cyber-attacks. Particularly relating to communicating related to cyber-attacks, and even the potential cyberattacks shareholders. This needs to be addressed in order to limit information

asymmetry.

Keyword AnalysisFindings:

-Most disclosures are boilerplate

-Industries with existing frameworks had higher number of instances

-Higher rate of disclosures now than in 2004.

Keyword AnalysisJP Morgan Chase - October 2, 2014

Approximately 200 million people’s contact info stolen (~62% of United Stated)

NIST RFI Analysis

NIST RFI Analysis - Opinions on Transition

RecommendationPush towards rules-based framework

Everyone is on the same page, Security conscious environment, Reduce cost

In line with audit firms

“Sales (2013) suggests the need for industry-wide security standards; these rules should be developed through partnership between regulatory agencies and private firms, rather than directly imposed via direct regulation”

Implementation PlanISO should incorporate NIST to increase international outreach

Using NIST as ‘backbone’

Incorporated into SEC/CSA

Appoint cybersecurity specialist to board of directors

SEC will have to decide if it will remain voluntary for certain industries or companies, to reduce issues for new/small companies

Should continue to solicit information from users of the framework via RFIs and updates continuesSet a date for standardizing the voluntary framework. Allowing non-compliant companies some time to

become compliant.

Thank you!