By Alan Brill, Senior Managing Director, Cyber Risk, and Ken Joseph Managing Director, Disputes and Investigations
If the Security and Exchange Commission’s February 2018 guidance on cybersecurity represented a wake up call, the Sept.26th enforcement settlement involving a one million dollar penalty for failure to have appropriate cybersecurity measures in place should be a very loud alarm bell of warning to both executives and boards of directors.
The SEC’s guidance is based on the very real fact that an organization’s financial, operational and technology systems are intertwined, and that protecting the integrity of both a company’s books and sensitive customer information are inextricably linked to cyber security.
There is no lack of clarity in the message associated with this settlement and penalty. The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cyber security, but to implement them along with compliance and audit procedures to assure that they are working as intended.
There is also an expectation that management and boards understand that cyber security is not a “one and done” proposition. As an organization’s business evolves and technology changes, the policies and procedures, along with their associated compliance measures must also change. Cyber security must be just as dynamic as the risks to the systems. System monitoring is becoming a recognized (and expected) best practice.
It is also clear that an organization cannot limit its concern about cyber security to its own cyber-operations. Those who can access your systems – independent contractors, partner organizations, supply chain partners, vendors or others – and those with whom you share nonpublic data must also be considered. How are they authenticated? The settlement announced on Sept. 26th involved attackers who were able to establish or take over -- through social engineering -- independent contractor accounts and used those to commit crimes through the company’s systems. How are they limited in what they can see and do? What alarm mechanisms are in place to provide real-time monitoring of user accounts for unusual activities?
In a case involving a company that had suffered significant data breaches, analysis showed that they had comprehensive cyber security standards and policies which they eventually described as “aspirational” and not a statement of what they had actually committed to do. The SEC – as well as other regulators and potential class-action plaintiffs – expect that there will be a match between stated standards and the controls that are actually in place. Without periodic and independent evaluations, active monitoring and anomaly identification and evaluation, there is a risk of actual practice deviating from the expectations in a company’s standards.
Assuming that an organization has commercially reasonable standards that comply with legal and regulatory requirements, it is the gap between expectation and reality that leads to problems. Just as hackers look for and exploit vulnerabilities in systems and procedures, expect regulators and investors to be greatly troubled when those gaps should reasonably have been covered by cyber security practices, identified through monitoring procedures, and appropriately investigated and responded to.
Actual problems identified through monitoring, compliance and audit processes represent another input to the continuous improvement process.
The SEC’s action clearly shows that it is serious about this issue, and that it is staffed and ready to conduct enforcement actions relating to cyber security.
How can we help?
Kroll, a division of Duff & Phelps has been helping clients in the cyber security space for over 30 years. We understand that even the best-intentioned cyber security processes can fail or can fail to evolve.
Our experience indicates that the biggest danger faced by managers and directors in considering the SEC’s guidance and enforcement actions is not knowing the actual state of cyber security implemented within their organizations. Without actual and detailed knowledge, risk can’t be assessed and effective response becomes difficult or impossible.
Kroll has developed methods for working with organizations to efficiently assess cyber security standards and policies, and for determining how effectively a compliance program assures that the standards are actually implemented. Assuring that a company has a well-considered risk assessment, that it understands it’s actual cyber-security posture and that it has identified the gaps is vital.
Where gaps exist, we can help organizations to improve their standards and policies, to mitigate risks and consider opportunities for risk transfer. In appropriate cases, we can provide a professional to act as a Chief Information Security Officer on a dedicated basis until an appropriate candidate is located, or a shared CISO on an ongoing basis. For organizations subject to the Payment Card Industry Data Security Standard, it is important to know that we are a Qualified Security Assessor under the PCI program.
We also have significant experience helping our clients assure that their cyber incident response programs are ready to implement when a problem arises. Our specialists can create and run customized table top exercises to determine operational readiness.
Given the prior SEC cyber security guidance and the Sept. 26th enforcement announcement, firms cannot simply assume that their cyber security complies with the guidance and best practices. Not knowing is, to put it simply, not acceptable.
We’re here to help.