Regulatory risk: "high-impact, low-probability" (but really high-impact if the improbable happens).
Yanev Suissa of SineWave Ventures, in a "think forward" presentation, called regulatory risk "the most systematically underestimated risk affecting business today." There was no shortage of other speakers keen to raise awareness of that risk, and to suggest ways of mitigating it.
On the receiving end of regulatory attention.
Michael Daugherty, CEO of LabMD, has had long, direct experience fighting a regulatory investigation (see JDSupra for a quick overview), and he drew upon that experience as he moderated a panel on "The Cybersecurity Regulatory Complex." He opened by describing a regulatory investigation as a "low-probability" but "high-impact" event, and he argued that such impact was likely to be very high indeed, should your company be on the receiving end of it. He argued that the risk in the US emerged from Congress having "subcontracted much of its job" to the administrative state. He recounted LabMD's experience of being pushed toward, and fighting, a Federal Trade Commission (FTC) consent decree over an alleged breach. One lesson he took from that experience is that regulatory investigations don't follow the rules of criminal or civil procedure you may have learned about from your high-school civics classes.
The panelists who joined Daugherty included Tim Callahan (CISO, AFLAC), Renee Guttman (CISO, Royal Caribbean), Doug Meal (Ropes & Gray), and Jason Smolanoff (Kroll). The discussion was fundamentally unsympathetic to regulatory agencies (much more positive, interestingly, toward law enforcement agencies). The Federal Trade Commission was the agency most singled out in discussion, but it was treated as representative, not particularly distinctive.
Disclosure as the point of risk.
Smolanoff observed that disclosure is the point of maximal legal, regulatory, and reputational risk. Disclosure involves risks that need to be managed, and companies facing an incident or an investigation need to be aware of them. Some of those risks may be surprising. He's noticed that regulatory agency CISOs are participating in discussions with companies under investigation, and they're there to help, as he put it. "find gotchas" they can provide the enforcement side. Nor are Federal regulators the only ones companies may encounter. State regulators, he said, particularly in Massachusetts and California, have become increasingly aggressive. Smolanoff believes he's seen state regulators using data breaches to levy fines with a view to raising revenue.
"The aggressive regulatory environment is real."
Meal's practice at Ropes & Gray is to defend companies against regulatory action. He offered two points. First, "the aggressive regulatory environment is real." Second, there are pre-event prophylactic measures available to companies. He particularly recommended building a close partnership between information security teams and those elements in the company responsible for legal and compliance matters. It's not inevitable, Meal said, that, if you draw a regulatory investigation, "you're dead in the water." He stressed that, "You need a great team committed to defending you. Equifax, for example, convinced itself it was wrong from the start. Don't do that." And, he added, above all convince the regulator that you're there to fight. "Don't miss signals," Meal said. "The worst case is when the regulator thinks the company is ready to cave, but the company is not."
Preparation, tactics, and strategy.
There is, Guttman said, a community out there that can offer mutual aid. "CISOs should work together. We ask each other for favors all the time. And that's really critical. Those are the trusted partner relationships you want to have." She thought that tabletop exercises were particularly useful if they addressed regulatory issues. They help clarify the roles various team members should play. And she remarked, in an aside, that one new regulatory risk was due to arrive in May 2018: "The new bogeyman is GDPR."
Callahan saw both a tactical and strategic aspect to addressing regulatory risk. When you hold a drill as part of your incident preparation, he advised asking, "How do I defend myself in court in such a situation?" It's important, he stressed, to convince the regulators that you're a victim, not a criminal. (There was some consensus expressed after the panel from participants and the audience that law enforcement had increasingly shown itself disposed to regard hacked enterprises as crime victims, not perpetrators.) The courtroom is tactical. Engaging legislators and policymakers in advance is strategic. Callahan recommended starting that strategic dialogue before there's an incident.
Daugherty made a point he would elaborate later, during a lunch session: it's important to select your lawyer carefully. "They don't come with a label." Find one who will be committed to advancing your interests. In his opinion there's a risk in taking someone from a big law firm who has experience working for the agency that's investigation you. Such an attorney may be fine, but there's also the possibility that they may be more interested in preserving their own stock with their former agency, the relationships they've developed, than they are in risking any bridge-burning that aggressively representing you might entail.
"There are no best practices."
Representative Darrell Issa (Republican, California) presented a SINET "think forward" segment later in the day in which he outlined ways in which he thought the regulatory agencies might be reformed. "The Federal government can't tell you how not to be hacked, it can't show you how not to get hacked, but it can issue you a consent decree if you do get hacked."
And this, Issa said, is the root of the problem. "There are no best practices." There has to be a system, he argued, in which the Government can share relevant practices with you. Following them "may not keep you from being hacked," but if you follow them, you'll be safe from regulatory punishment. Thus the problem comes down to a lack of clarity about the standards to which the various regulatory agencies will hold businesses. "There is no chance in the near future that the FTC will give you safe harbor, because they don't know what good practices are. All they know is that they can hit you if you get hacked."
He suggested that it might be possible to take advantage of the natural stovepiping that occurs in Government to ameliorate this situation. We might help, he thought, "the Department of Commerce to be your friend, pushing aside the other agencies that have a different mandate." Giving Commerce the lead in cybersecurity regulation, and reforming them in the right way, he said, would be good for the sector. "Now, you don't know whom to please, and there's no umpire. That should change."