Podcasts
Caveat
Ep 182
Caveat 8.3.23
Ep 182 | 8.3.23

Roll out the red carpet for cyber regulations.

Show Notes
Transcript

Valerie Abend: Really understanding who and how the process is going to run to determine that you have a reasonably practical timeframe that's well-governed, well-documented, practiced involves all the right executives for determining that it is actually material. So the challenge won't be, once I've determined it, I'm going to have four days to tell the SEC this happened. I think the challenge is how do I have a defensible or regulatory defensible approach for really governing that process for determining materiality?

Dave Bittner: Hello, everyone, and welcome to Caveat, the CyberWire's Privacy Surveillance Law and Policy Podcast. I'm Dave Bittner. And joining me is my cohost Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today Ben shares an interesting case concerning Internet preservation law. I look at an article from Lawfare that ponders the cybersecurity insurance market, and later in the show my conversation with Valerie Abend. She's global cyber strategy lead at Accenture are discussing the Securities and Exchange Commission's recently announced cyber regulations. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right. Ben, we've got some interesting topics to cover here. Why don't you start things off for us.

Ben Yelin: So mine comes from the Volokh Conspiracy blog on the Reason website, and it is written by a Berkeley professor who shall remain nameless. Spoiler alert, it's Orin Kerr. But, really, it's been a few weeks since I've shared one of his pieces, so we were due, right?

Dave Bittner: Sure.

Ben Yelin: So this concerns a case that came out of a Nevada magistrate judge's opinion concerning Internet content preservation. So when agents either in federal law enforcement or state law enforcement think that a person might have committed a crime, or there's evidence that they're involved in criminal activity, agents will order Internet providers to make a copy of a person's entire account. So usually that's some type of social media account. Could be their email account. And they store it away so that the government, if it needs to access it later on for law enforcement purposes, is able to access it. But once the third party here has created the copy, then obviously, the suspect, the person who's accused of committing a crime, doesn't have the opportunity to wipe that data clean.

Dave Bittner: Oh. I see.

Ben Yelin: So it's a way to preserve Internet data just in case law enforcement needs that information for a criminal investigation.

Dave Bittner: Okay.

Ben Yelin: There's a federal statute. It is the Stored Communications Act, Section 2703(f). For those nerds out there. Usually when we talk about 2703, it's about 2703(d). But a littler known provision requires Internet providers to comply with these requests for preservation. And, as Orin Kerr notes, this happens very frequently. Apparently, in 2019, the last time this data was studied, about 1 in every 820 adults had one of their accounts copied for possible government use.

Dave Bittner: Really.

Ben Yelin: That really seems like a lot to me. I don't know about you.

Dave Bittner: It seems like a lot to me, too.

Ben Yelin: And the person whose data is being copied never has any idea that this has taken place. This happens just with the cooperation of the private company and at the behest of law enforcement. So the government does need a warrant to eventually search that data.

Dave Bittner: Oh. I see.

Ben Yelin: But -- so the warrant does come in at that point. But this practice of preservation allows the government to gain access to that data that they would have not otherwise been able to access because, presumably, the suspect would be smart enough to delete it.

Dave Bittner: And the service provider is obligated to do this by law.

Ben Yelin: Right. Now, that's actually one of the interesting elements of this case is the word used in the statute is a request. But if you don't comply with a request, there are penalties for these private companies.

Dave Bittner: I see.

Ben Yelin: So it's sort of like when the government requests that, you know, you come with them with their guns blazing.

Dave Bittner: Right. Or I was going to say, when my mom used to request that I clean my room, but yours is much more forceful.

Ben Yelin: Yeah. No, I like your example, though. I mean, it's a request in name only.

Dave Bittner: Right.

Ben Yelin: If you don't comply with the request, you're going to be in a lot of trouble.

Dave Bittner: Yeah.

Ben Yelin: So this brings us to a case that came out of Nevada. It is concerning a criminal defendant named Mr. King who was accused of trafficking in child pornography. It's actually a terrible story. The victim of this abuse and her mother went to law enforcement. She said that she was being abused by somebody. She was under age. And then through some pretty good investigative police work they were able to find this guy. But all of the evidence was circumstantial. They saw in one of the pictures that he was wearing a pair of distinctive White shoes. And then they went to the neighborhood where he lived, ended up stumbling upon a house with a bunch of roommates, saw somebody wearing those shoes. That ended up being their level of suspicion. So, certainly, that wasn't probable cause to retain this person's devices. So they get his device, and they search a couple of accounts that he has on a couple of encrypted messaging applications. And, after going through the process, they get enough evidence to charge him. And he is challenging the criminal charges here and asking for evidence to be suppressed saying, that this is an illegal seizure under the Fourth Amendment. So there are kind of two questions here. The Fourth Amendment only applies against government action. And, here, it's the private company that technically takes the action here. So the first question is, does the Fourth Amendment apply at all here? Is there government involvement? Is the private company acting at the behest of the government?

Dave Bittner: Right. Well, the gov -- or the private company wouldn't do this if not for the government requesting it, right?

Ben Yelin: They certainly would not. And that's not how the judge sees it in this case. Basically, the judge says, as it relates to these companies, they are O-M-E-G-L-E. Do you know how you pronounce that? Omegle?

Dave Bittner: No, no.

Ben Yelin: I'll go with Omegle. And TextNow. Those are the two applications that were at issue here. Basically, he's -- the magistrate judge here says that they do not qualify as the government. One of the things that the judge cites is that the government is simply requesting a copy of the data be made. Of course, as we've noted and as Orrin Kerr notes, it is a request in name only. Really, they are being compelled. I mean, they're being forced to do this. And, as you said, this data would not be copied without the government's involvement.

Dave Bittner: Right.

Ben Yelin: Another thing this judge says is that the individual here, the criminal suspect still has full dominion over his account, even when the government receives a copy or the third party, the private company here, has made a copy. But that shouldn't disabuse the idea that the -- this is some type of government action. I mean, if government had access to our physical property by really compelling a private party, any type of third party to grant access --

Dave Bittner: Right.

Ben Yelin: -- I think all of us would consider that to be some type of government involvement.

Dave Bittner: That's like saying that, you know, if the government asks the building manager to unlock your apartment, that the -- what it seems to me like this judge is saying is that that's not a -- that's not the government's responsibility because the building manager was the one who opened the apartment door. Right.

Ben Yelin: Yeah. I mean, that seems completely illogical to me. And I think it did to Professor Kerr as well. I think that's actually a perfect example because, presumably, the government in that situation has the full force of the government, meaning some guns. They can force the person to open that door through a lot of pressure. I mean, the government is big and can do a lot of bad things to you. So, when they request something, it's not just, Hey, can you please do this? If not, no hard feelings. It's do this, or else you're going to get in trouble.

Dave Bittner: Yeah.

Ben Yelin: Then the second part of this opinion, the judge concludes that even if these providers were state actors or were acting at the behest of the state, running a copy of the account that the defendant could not control doesn't amount to a seizure. If the rest of our federal court system copied the reasoning of this magistrate judge, as Professor Kerr says, then the government could just order anyone's accounts to be copied without limit because there would be no seizure with the government making these copies. And this just seems like a pretty fairly poor legal reasoning, in my view. Yes, the Internet providers do have possession of the user data. It's stored in their servers. But in Professor Kerr's mind, I completely agree with this, why would that mean that making of a copy, making a copy of this data doesn't count as a seizure? And he posits this really interesting hypothetical. It's actually quite similar to yours. But let's say there's drugs wrapped in aluminum foil in your freezer in an apartment that you share with your roommate.

Dave Bittner: Yeah.

Ben Yelin: And the government goes to your roommate and says, Go into your apartment, go inside the freezer; you'll find a package of drugs in aluminum foil. Bring the package to us now. Otherwise, we'll arrest you for obstruction of justice. Obviously, your roommate would get that package from the freezer and give it to the government. I think all of us in those circumstances would agree that those drugs have been seized for Fourth Amendment purposes, even though the individual user technically still has access to that freezer and those drugs.

Dave Bittner: Right.

Ben Yelin: The fact that the roommate in this hypothetical or the third party here has common authority over the contents of this information, it just doesn't seem relevant to the Fourth Amendment question as to whether there has been a seizure.

Dave Bittner: So okay. So could they make the -- could the -- in the government in this case, could they make the case, then, that they did not seize the items, that they were, in fact, surrendered?

Ben Yelin: Well, how would you describe that distinction? Because you're saying that they were voluntarily surrendered and not seized?

Dave Bittner: Correct. As you say, the roommate has access to the freezer. The government has requested, air quotes.

Ben Yelin: Right.

Dave Bittner: Right. I can't help -- I don't want to get off on too much of a tangent here, but this is really reminding me of the case we're seeing right now where I think it's the NSA who's lobbying Congress to say, Please don't take away our ability to buy location data from third parties.

Ben Yelin: Right.

Dave Bittner: You know. Like, it's a -- it's like it's an end around.

Ben Yelin: It is an end around.

Dave Bittner: Yeah.

Ben Yelin: And you could say, yes, they're just collecting this data. The government still needs a warrant to search it.

Dave Bittner: Right.

Ben Yelin: But it is still the government compelling these companies to retain data that could otherwise be deleted because, otherwise --

Dave Bittner: Right.

Ben Yelin: -- it would be in the full dominion and control of the criminal defendant. It's not, and it's not because the government has gotten involved using their authority under Section 2703(f).

Dave Bittner: Right.

Ben Yelin: So, yeah. I just don't think that is a meaningful distinction. It seems quite clear to me that a seizure has taken place because they've literally -- and I know, we don't like to lean heavily on the dictionary definition of words, but they have seized a copy of somebody's account. It is in -- it is something that has been taken. It is not fully under the dominion and control of that criminal defendant. And that I think, in everyday parlance and in the legal world, should count as a seizure.

Dave Bittner: If we try to put ourselves in the mind of this Nevada magistrate judge, where do we think he's coming from?

Ben Yelin: Well, there's kind of the cynical view of it and the noncynical view of it. The noncynical view is that this is just a good faith reading of Fourth Amendment case law, that we don't really have a lot of precedent on Internet preservation and that there are some cases, when you analogize it to the physical world and you're kind of trying to suss out what a seizure means, I think you could conceivably argue that this is not a seizure. I happen to disagree with that argument. But it does match up somewhat with Fourth Amendment case law about a third party having access to something, even though the primary person still can access it him or herself, even though I think that's kind of missing the forest for the trees here. So that's one element of it. The more cynical view would just be, because we went through the process of discovering -- going through a criminal investigation and realize that this guy has been trafficking in child pornography and is a bad dude and has sexually abused this young girl, why would you want to let this criminal defendant off on a constitutional technicality?

Dave Bittner: I see.

Ben Yelin: This is just a magistrate judge, not to diminish the role of a magistrate judge. They're awesome. I wish I could be one someday. But this will go to a federal district court judge.

Dave Bittner: Okay.

Ben Yelin: Who will have the chance to hear an appeal on this motion. And if either party is not happy with that appeal, go back up to the federal courts of appeals. So we need to stay tuned here.

Dave Bittner: Yeah.

Ben Yelin: But this is just what I thought was a really interesting case. I think not a lot of people realize that the government has the ability to mandate Internet preservation and that it happens with kind of alarming frequency. It's hard to conceptualize 1 out of every 82 adults in this country, but that's a lot of people. And, you know, given that our podcast has so many listeners, I'm sure that means many of you have had your data copied pursuant to section 2703(f) so.

Dave Bittner: Is there any way for us to find out? Can we make, like, a FOIA request or something?

Ben Yelin: I don't think so. I think the -- first of all, the FOIA request would take forever.

Dave Bittner: Yeah.

Ben Yelin: And I think -- I'm not an expert in administrative law, but I think probably this would fall under one of the exceptions of FOIA if it was an active criminal investigation, though don't quote me on that one. But, yeah. I mean, I think -- I don't think the person whose data has been collected is ever really privy to what goes on between the government and the private company.

Dave Bittner: Wow. All right. Whew. There's a lot to unpack there.

Ben Yelin: A lot to unpack there. I thought it very interesting.

Dave Bittner: It is, it is. All right. Okay. Well, we will have a link to that story in the show notes. My story this week comes from the folks over at Lawfare. This is an article written by Tom Johansmeyer I believe is how you pronounce his last name. And I apologize in advance if I got it wrong. And this is, oh, gosh. I guess it's fair to say listeners of the show would know that this is a pet topic of mine.

Ben Yelin: Sure is. Yeah.

Dave Bittner: Cyber insurance. And this article is titled, If Cyber is Uninsurable, the United States Has a Major Strategy Problem. And this -- the core of this is the notion of whether or not, ultimately, private companies are going to be able to insure cyber for other private companies so private insurance companies. Is cyber -- is the cyber insurance market viable I guess is what I'm getting at here. Or --

Ben Yelin: As the eight ball might say, All signs point to no.

Dave Bittner: Well, that's interesting in this article. But as I have often wondered, will cyber insurance go the way of flood insurance where it is not a good business to be in. And so, ultimately, you need to have a federal backstop here. And this article unpacks a lot of the different elements of that. The author here talks to a number of executives in the insurance world. The recently released US National Cybersecurity Strategy, one of the focuses of it is private sector -- public-private partnerships and private sector support, and that includes the insurance industry. But that strategy also says that they need to explore the need for a federal insurance response to a catastrophic cyber event to support the cyber insurance market, which I think is interesting as well. This article points out the notion of a -- what would a catastrophic cyber event look like? What if the Internet, the entire Internet went down for a week.

Ben Yelin: Kind of a cyber one, extending the flood insurance metaphor would be like a cyber Katrina where an entire subset of the Internet comes offline because of a cyber incident. It's so catastrophic economically that the private sector is unable to recoup the losses.

Dave Bittner: Right.

Ben Yelin: Yeah.

Dave Bittner: Right. And one of the executives that they talked to for the story said that he's avoiding coverage for cyber, in other words, avoiding providing coverage for cyber because he says that insurance is a promise, and he doesn't want to make promises that he can't keep, which is an interesting perspective. I think a good one.

Ben Yelin: Yeah. Kind of scary from a policy perspective. But, I mean, you understand it from the perspective of these companies because they are actuaries. They're evaluating risk. And the risk, given all the threats out there, is quite high.

Dave Bittner: Yeah.

Ben Yelin: It seems like we're going to have to eventually develop a policy that combines private sector tools with a federal backstop.

Dave Bittner: Right.

Ben Yelin: And I think that's what they're getting at here. I don't know if you've ever heard anything about the insurance linked securities market?

Dave Bittner: Go on.

Ben Yelin: I know very little about it except in what I read just in preparing for this -- for the segment. But, basically, it would be a way for specialized investment managers to provide more capital to recoup cyber risks. I don't know exactly how that would work. But that would be a private sector driven solution. Yeah. And then, failing that, you could have at least a de minimis federal backstop the way we do with flood insurance, although the National Flood Insurance Program, to put it mildly, has not been an overwhelming success.

Dave Bittner: No, no. I mean, it's lousy insurance. It's -- you know, it's -- yeah. It's expensive insurance that doesn't cover very much.

Ben Yelin: Right, right.

Dave Bittner: But you're required to have it that if you have a home that is in a flood zone. You got -- and you have a mortgage, a federally insured mortgage, you're required to have it. So that's that. The interesting items from this article that I was not aware of, that a lot of insurance companies turn around and reinsure their risk. So, in other words, I sell you cyber insurance, and it includes X, Y, and Z. But for the really catastrophic stuff that I've covered before, I am then going to go buy a policy from another insurance company who's bundling together, you know, these catastrophic policies from lots of different insurance providers.

Ben Yelin: Doesn't this feel very 2007, 2008 to you? I just feel like that's ringing alarm bells. Like the House of Cards will end up falling on itself if there is actually a cyber catastrophe --

Dave Bittner: Yeah.

Ben Yelin: -- because the insurers won't be able to pay, and those who insured the insurers won't be able to pay. And then the entire system comes crashing down. I'm just throwing that out there as a --

Dave Bittner: Yeah.

Ben Yelin: -- flagging that as a potential problem.

Dave Bittner: Well -- and, again, to get back to the federal response, this article points to there's a policy in place in response to the 9/11 attacks. There's a terrorism policy that is a backstop for, if your building fell down because terrorists attacked it, rather than just relying on private coverage, there is now a federal response in place as well. And so the government has done this --

Ben Yelin: Right.

Dave Bittner: -- with this, with flood insurance, you know. So it's possible. I was, however, interested to see that I think seven out of the eight high-level insurance executives that the author of this article interviewed were actually quite bullish about cyber insurance and felt as though it is viable, that we have enough information to know what the risks are, that the day-to-day risks aren't that bad. Yes, the major catastrophic risks are still an issue. But for day-to-day business and covering people for their regular cyber insurance needs, they seem to feel like they have a pretty good handle on it and that they understand the basic numbers behind it.

Ben Yelin: Yeah. That was far more bullish than I would have expected too. You know, I don't think that necessarily is reassuring for the type of scenario that's contemplated here where there's something so catastrophic that it's not just an individual company or government agency making a claim, which is something that, as you say, the companies are pretty good at pricing out in terms of risk, but it's something that's systemic.

Dave Bittner: Right.

Ben Yelin: That's where I think the issue comes in, and that's where I think we need some type -- potentially, at least, at some point in the future some type of federal backstop the way we do flood insurance.

Dave Bittner: Yeah.

Ben Yelin: I just think when you look at risk in a broader, writ large perspective, it's something that could potentially affect the entire country the way some type of massive hurricane could affect the economy of the entire country and certainly the physical infrastructure of a large community.

Dave Bittner: Right.

Ben Yelin: So with a risk that large, I think it kind of behooves the government to at least consider getting involved as a backstop.

Dave Bittner: Yeah. They point at, like, the Colonial Pipeline issue as being sort of a wake-up call for folks in the industry. But my sense is that there has not been a cyber Hurricane Katrina so far or Hurricane Andrew, you know, something that just strips the landscape of all buildings, that -- everybody talks about either a cyber 9/11 or a cyber Pearl Harbor, if you're talking about adversarial types of things. But I don't -- I mean, do you -- when you think about it, do you think we've -- we've come close to anything like that?

Ben Yelin: No. I mean, what scares me about the Colonial Pipeline situation is that was a relatively small-scale attack. It only affected a single company. That company happens to supply most of the gasoline on the Eastern Seaboard of the United States.

Dave Bittner: Right.

Ben Yelin: And it was extremely disruptive. I mean, for the first time since the 1970s, people at least in parts of the East Coast were dealing with massive gas lines.

Dave Bittner: Right.

Ben Yelin: So if something that small in scale can have such serious kinetic effects, it's something that should keep us up at night --

Dave Bittner: Yeah.

Ben Yelin: -- because it's -- that's still a relatively small company, all things considered. I mean, it's a large corporation, but it's not like they attacked one of the, you know, absolute biggest oil companies or one of our larger utilities; like, it was still pretty limited in scope in terms of the original attack.

Dave Bittner: Right.

Ben Yelin: So the fact that it had such a large impact I think absolutely should open our eyes.

Dave Bittner: Yeah, yeah. All right. Well, we will have a link to this article in the show notes. Again, this is from the folks over at Lawfare. And it's definitely worth a read. I have to admit, say, admit, brag about, I don't know, that it really did help me recalibrate my understanding of how cyber insurance works, which also leads to me recalibrating how I think about this and approach this. You know, I think -- I still think the analogy to flood insurance is a good one. But I'll say my understanding of it, thanks to this article, is a lot more nuanced.

Ben Yelin: Yeah. It's a great article with a lot of useful information and very well-researched.

Dave Bittner: Yeah.

Ben Yelin: I think they talked to a lot of people who are involved in the cyber insurance market. So it was somewhat reassuring, as we said, to hear that I think they're getting better at pricing these risks. So I found that aspect of it encouraging for sure.

Dave Bittner: Yeah, yeah. Absolutely. All right. As I said, we will have a link to that in the show notes. And, of course, we would love to hear from you. You can email us. It's caveat@n2k.com.

Ben, I recently had the pleasure of speaking with Valerie Abend. She is the Global Cyber Strategy Lead at Accenture. And we were discussing the Securities and Exchange Commission's recently announced cyber regulations. Here's my conversation with Valerie Abend.

Valerie Abend: Back in February of 2022, the SEC proposed new rules to help shareholder transparency around cybersecurity. That includes incidents as well as how companies govern and manage cyber risks. They took a lot of time to consider public input. And so what they've done is they finalize those rules through an SEC vote. And those rules cover both incident materiality and so whether or not an incident has had real significant impact on a company and how you would communicate that in a public way through your filings that you would do as a publicly held company with the SEC as well as how do you disclose on an annual basis how you're managing cyber risk and cyber risk management across the company; what is your board, your board of director's responsibilities around oversight of that cyber risk management; and then, you know, a little bit about what you would do in terms of if you needed to have a delay particularly because of national security, public security interests.

Dave Bittner: One of the things here that caught my eye and I think is getting a lot of attention is this idea that organizations will be required to report an incident within four days. But then there's the little -- the little kicker that says within four days of determining that is material. I can just imagine in-house counsel licking their lips at the variability of that word, material.

Valerie Abend: Yeah. So I think it's really important to hit this point up front. It's not about four days of having an incident. The requirement is that you have a reasonably practical timeframe for determining whether or not an incident is material or not and you have a pretty good process then to do that, which we should dig into. But it's really, once you determine that something is material, you have four days to report it.

Dave Bittner: And what's the response been to this?

Valerie Abend: I think generally people who work in publicly held companies, all of the people that I've talked with, both CEOs all the way through their chief information security officers say, you know, we already have to report when we have a cyber incident that is material. And so having four days to actually make that report happen isn't a big challenge. I think where the gap is, is really understanding who and how the process is going to run to determine that you have a reasonably practical timeframe that's well-governed, well-documented, practiced, involves all the right executives for determining that it is actually material. So the challenge won't be, once I've determined it, I'm going to have four days to tell the SEC this happened. I think the challenge is how do I have a defensible -- a regulatory defensible approach for really governing that process for determining materiality, not only in the face of when an incident has occurred but also over time because incidents change over time. And maybe you thought it wasn't material, but now maybe suddenly it has become material because of intellectual property that maybe was now determined to have been taken whereas before you didn't realize it was. Or perhaps you're facing regulatory fines that you didn't know you were going to face or perhaps that attribution of who did the attack is changed, and all of those things could determine you have to reevaluate whether it is material and then report.

Dave Bittner: And has the SEC indicated that they'll be having scrutiny over this so after an event to go in and say, was the pathway towards the determination that this is material, was that reasonable and timely?

Valerie Abend: So you've hit it spot on, Dave. This is the thing. When you have an incident, that's when all these things become challenging, right? The final rule for a regulator is not going to give you the example of what best practice looks like. It's not going to tell you exactly how your process should go. The problem will come when you have an incident. And maybe you didn't think it was material, and they come in and they realize it was material. And the reporting didn't happen, and you didn't have a really good process. And the SEC says, show me all the documentation. Show me how you made that decision. Show me who was involved. How did you practice that so that you had a good process that you evolved over time based on the risk of your company and the threats it's facing? And that's will be the challenge is, you know, a lot of folks who don't get through that process before they have an incident will be caught flat-footed.

Dave Bittner: I know another concern that's been voiced is this notion that organizations may have to reveal too much information, that in the process, in the timeliness of revealing that the incident has occurred, that that could be an opportunity for other attackers to take advantage of that intelligence.

Valerie Abend: So the SEC made some pretty significant changes between the proposed rule and what they ultimately voted out should be the final regulation. And one of the things that they changed, which I think was really, you know, smart was how much information, how much detail in this public filing you have to include about what was attacked, are you still vulnerable so that you don't provide a roadmap, right, to the bad guys about what they should continue to attack you on or even attack others on. So they did narrow what you have to disclose in the face of an incident. And I think that was really smart. And it got a lot of comment from, you know, public companies and, you know, from the industry about -- about that exact thing. How do we do the right thing to provide shareholder transparency, but how do we also manage the risk of further exposure to that company or any other companies.

Dave Bittner: Can you give me some insights on how the SEC generally comes at these sorts of things? I mean, when it comes to their relationship with the organizations that they regulate, do they tend to be collaborative? Do they tend to be adversarial? Where do they land?

Valerie Abend: Well, I don't know that I would pigeonhole the SEC versus other regulators in different ways inside the United States. We have a very strict approach in the United States around how much collaboration regulators can do with private industry. And, honestly, that's a bit of the challenge we have in our construct versus other countries that have different approaches. As a former regulator myself, I remember, you know, the challenges I faced where, in order to get comment, you have to really put things down on paper or put it out to the public. And then there's this formal process. And it makes it harder to be collaborative, as you say. The sort of ways in which we tried to address that in the financial sector was by creating what is public-private partnership, whereby the regulators all come together underneath the guise of the sector-specific agency, which is the US Department of the Treasury. And they would come together in meetings under, you know, certain types of relationships that are legally allowed to with the private sector under the Financial Services Sector Coordinating Council. But, ultimately, when you're putting out a reg, it's very hard to be collaborative, except for the this comment period. I do think there are ways which I've seen in the past where industry can kind of help prompt even more collaboration just by convening groups that then kind of are able to share messages back to regulators. So, if you look back at how, when the PCAOB, the Public Accounting Oversight Board was created, there was a lot of conversation by what was then the big four accounting firms having town halls all around the country to say, How do we restore faith and trust in public accounting? That then further reformed the PCAOB about what they needed to do.

Dave Bittner: So what are your recommendations, then, for folks who are in leadership positions in a public company so maybe a board member. With these new rules, what sort of things should they be concerned with?

Valerie Abend: So I think there are a few challenges. And the first thing I would always say on this one is, because they did soften, you know, various provisions between what they had originally proposed versus what they voted as final, first thing I'd say is, I think a lot of folks are going to sort of let their foot off the gas, and I don't think that's a great plan. As we talked about earlier, when you have an incident, that's when you're going to get caught with, like, Oh, we didn't really have a well-defined process; and we thought we did. And that's not just on the incident materiality part. That's also on the sort of two other big areas of the regulation, one of which is just your ongoing day-to-day cyber risk management processes. So, in the rule, you have to disclose every year about how you're managing cyber risk. That's really smart. It doesn't require too much detail. But, you know, if you have an incident and in that you don't really have all your details really worked out and the SEC comes to do an investigation, that's where you're going to have a challenge. And so having a very strong cyber risk management framework with policies and procedures and clear ability to actually quantifiably describe what are your higher risks in the context of your specific business and how you're not just maturing your information security function but actually holding all members of the C suite accountable for their specific role in managing cyber risk. To me, that's going to be I think a big area that a lot of companies need to focus on. And if I were a CISO, I would partner with my CEO to see how we can do that, particularly working with this management committee that's described in the rule. So they're -- in the rule, they actually tell the board that their job is to oversee this cyber risk management committee or an executive risk management committee that's handling cyber. And so, if I were a CISO, I would partner with the CEO and with the board to really strengthen that management committee, all the members of that committee, make sure it's clear what their responsibilities are, and had it very well-documented and practiced.

Dave Bittner: Yeah. You know, you mentioned documenting. That really strikes me that it's in an organization's best interest here to be documenting things along the way and not just when an incident occurs.

Valerie Abend: Yeah. I think that's really important. I used to say in -- a regulator, if it's not written down, it doesn't exist, right?

Dave Bittner: Right, right.

Valerie Abend: And that just -- it does matter, right? It makes it so much more clear, people put pen to paper and say, Oh, that's -- those are my responsibilities? Oh, that's what the mission of this management committee is? Oh, this is how frequently we meet? These governance documents matter quite a bit. And also how you're measuring and reporting cyber risk, that -- how you look at your key risk indicators, your key performance indicators, making sure that that is tuned appropriately over time and in writing, going up through this management committee up to the board, I think that's really important.

Dave Bittner: You know, in terms of broader trends, what this indicates in terms of, like, a trajectory that the SEC is indicating here, any thoughts on where we're heading with cybersecurity and public companies?

Valerie Abend: I think that what we're seeing is an increasingly complex regulatory landscape. As a matter of fact, the White House just released a request for information around regulatory harmonization and with an eye not just in what's happening in the United States but internationally as well. And we have very different approaches in the United States versus Europe versus, you know, Asia Pacific and other parts of the world in how we regulate generally but specifically in cybersecurity. And that is a challenge. I think that's what -- that's the reality. I don't see it changing. And so as we look at not just the SEC but what other regulators are doing -- so, for example, CISA, has, you know, a requirement for critical infrastructure to report. CISA also is able to share that information with other agencies. Are they going to give a heads up to the SEC even before you do if you're experiencing an incident and have already reported that to CISA? So I think there are various issues around regulatory complexity that a lot of publicly held companies need to consider going forward.

Dave Bittner: Yeah. I sense a bit of a subtext is you're talking about comparing our regulatory regime with others around the world. I mean, is this -- is this something that puts us at a competitive disadvantage? Or is this simply the way that we've decided to run things? What's your take there?

Valerie Abend: It's sort of the nature of just how we operate. I don't know if it's an advantage or disadvantage. It depends on how you look at competition, I guess. In Europe, they raise the bar across everyone all at once. So you have the NIS2 Directive. You have DORA. You have the forthcoming Digital Services Act. Those regulations cover all of Europe across every industry all at once and set the bar at the same level, which, you know, look it. Let's face it. We're operating in an ecosystem. We are a highly dependent on third and fourth parties and beyond. And so the idea that you can raise everybody up at once is pretty important. We regulate more from an industry lens industry by industry. The SEC Rule is all industries that are publicly held company, but the reality is that the industries, if you look at banking versus capital markets, and the SEC also oversees capital markets and has a -- has a regulation specific to them now. So -- but, you know, if you look at TSA and what they do in transportation and with pipelines, like, it's very industry by industry specific. And, you know, it depends on how you consider competition. On the one hand, I think that raising the bar for everyone is really important because we're all so interdependent and increasingly so. On the other hand, I think it's really important that, when you go in and you actually regulate inside of a bank or inside of a pipeline, you actually understand the specific risk context with which they're operating in.

Dave Bittner: There's been talk about delays from attorney generals and what companies should do about that. What can you share with us there?

Valerie Abend: Right. So the SEC says you can file a request for delay, that you would basically get the agreement with the attorney general if there is belief that the incident shouldn't be disclosed to the public because there are national security and public security implications. The question is, how do you do that? Like, how do you get the Attorney General on the line to agree with that? And that is why we always encourage companies to work very closely with the FBI, with law enforcement. And that way you have that relationship so that they can help you in that circumstance if you truly believe that there are national security implications from a breach. I think that, in some instances, the FBI or the Department of Homeland Security may proactively reach out to you that something is going on. They believe it has national security interest, and you might get an alert from them. And that I think probably smooths out that issue for you or hopefully would. But if it's the reverse, if it's your company determining it, how they do that is still unclear.

Dave Bittner: Ben, what do you think?

Ben Yelin: That was a fascinating conversation. I think since you had the conversation with her that rule was finalized and is now in place. What's really interesting to me is it seems like the big stakeholders in the private sector are quite supportive of this SEC regulation maybe because, as she notes, the regulation was altered from its original form, which had a little bit more -- or, I guess, more burdensome requirements on these companies. But have this buy in for these rules that are attempting to hold publicly traded companies accountable for cyber incidents or at least improved situational awareness and knowledge of attacks I think is very promising. So -- and she's certainly an expert on this topic, and I found the interview very informative.

Dave Bittner: Yeah. Again, our thanks to Valerie Abend from Accenture for joining us. Boy, great guest, you know. She has like a -- Valerie is -- just has that great combination of expertise in her -- in her area but also being really able to explain it in a way that, you know, folks like me who aren't experts can really understand what's going on here. So I really appreciate that, that rare combination. And we appreciate her taking the time for us.

That is our show. We want to thank all of you for listening. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. This show is edited by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform. KnowBe4 helps organizations address the human element of security by raising awareness of social engineering tactics through a new-school approach to security awareness training. Learn more at KnowBe4.