capstone final presentation
TRANSCRIPT
Cybersecurity Disclosure: The Emphasized Need for Regulatory Framework
By: C. Caden, K. Kuley, N. Naour, M. Nash, K. Uppal
Cloud Computinga model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction. -National Institute for Standards and Technology
or more simply…“providing large-scale computing resources over the internet”
Cybersecurity"Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from
occurrences that misalign de jure from de facto property rights
Increased use of IT and Cloud Computing
Cybersecurity is not Just an IT IssueCybersecurity risk management is an enterprise-wide issue, should not be left to IT department
Management’s reliance on IT General controls can impose negative effects, if controls fail.
Governance of Enterprise Security: Carnegie Melon CyLab 2012 Report
External Analysis- Economic
External Analysis- Legal“The history of cybersecurity law reflect a mix of legal areas and sources: cybercrime,
cyber warfare, national security (protection of critical infrastructure), legislative statutes, and presidential directive (Flowers et al, 2012).”
Cybersecurity Law compared with: Law Enforcement and the Law of Armed Conflict Environmental Law Antitrust Laws
Cartels, Price FixingProducts Liability
Criminal Negligence
External Analysis- Political
Internal AnalysisDisclosure cannot be so detailed and specific that the disclosure itself
would harm the organization's cyber security.Knowing when to disclose and what is materialDownstream disclosures
Existing Frameworks/GuidelinesCF DG 2- Corporate Financial Disclosure Guidance 2
NIST - National Institute of Security and Technology
HIPAA - Health Insurance Portability and Accountability Act
COBIT 5 - Control Objectives for Information Technology
CFATS-Chemical Facility Anti-Terrorism Standards
GLBA - Gramm- Leach - Bliley Act
ISO - International Standards OrganizationIEC - International Electrotechnical Commission .
Existing Guideline ~ CF DG 2Corporate Financial Disclosure Guidance Topic 2 (CF DG 2)
No specific obligation, falls under other obligations
Boiler plate
When to disclose
Risk Factor (10K)
Disclose in the MD&A if the cost/consequences are material
Remediation, Prevention, litigation, Qualitative
Legal Proceedings
Financial Statements
Existing Guideline ~ CF DG 2 ~ RealityMore of a rule
Materiality does not matter
Boilerplate disclosures
Lack of guidance
Existing Frameworks - HIPAAHealth Insurance Portability and Accountability Act - Law governing health care organizations to ensure patient health info remains confidential.
2003 Privacy Regulations:1. Enact reasonable safeguards that protect the privacy of patient-identifiable information in any form whether it
is electronic, written or oral. For example, one such step may be establishing policies that patient information is not to be discussed in public areas.
2. Hospitals must also implement minimum necessary policies and procedures that limit how much protected health information is used, disclosed and requested for certain purposes.
3. Provide training for staff on privacy procedures. (Yoder, 2003)
Advantages - Goal is to inform, Mandatory
Disadvantages - Limited to Healthcare entities, Limited Access Controls, inadequate monitoring and auditing of information systems, Lack of security incident and disaster recovery plan
Cybersecurity Framework 1.0- NISTAn agency within the U.S Department
of Commerce, the National Institute of Science and Technology (NIST) conducts extensive research in measurement science and establishes standards in order to promote economic security.
The framework core component consists of these core functions: identify, protect, detect, respond, recover. The framework correlates each function with industry standards, including categories and subcategories for each function.
Lack of Obligatory Framework
The main issue to be discussed is the lack of an overarching formal framework or standard in regards to cyber-attacks. Particularly relating to communicating related to cyber-attacks, and even the potential cyberattacks shareholders. This needs to be addressed in order to limit information
asymmetry.
Keyword AnalysisFindings:
-Most disclosures are boilerplate
-Industries with existing frameworks had higher number of instances
-Higher rate of disclosures now than in 2004.
Keyword AnalysisJP Morgan Chase - October 2, 2014
Approximately 200 million people’s contact info stolen (~62% of United Stated)
NIST RFI Analysis
NIST RFI Analysis - Opinions on Transition
RecommendationPush towards rules-based framework
Everyone is on the same page, Security conscious environment, Reduce cost
In line with audit firms
“Sales (2013) suggests the need for industry-wide security standards; these rules should be developed through partnership between regulatory agencies and private firms, rather than directly imposed via direct regulation”
Implementation PlanISO should incorporate NIST to increase international outreach
Using NIST as ‘backbone’
Incorporated into SEC/CSA
Appoint cybersecurity specialist to board of directors
SEC will have to decide if it will remain voluntary for certain industries or companies, to reduce issues for new/small companies
Should continue to solicit information from users of the framework via RFIs and updates continuesSet a date for standardizing the voluntary framework. Allowing non-compliant companies some time to
become compliant.
Thank you!