Cybersecurity is not just a technical issue but also a legal one. How can we design systems and processes that are resilient to cyberattacks and comply with the relevant laws and regulations? That was the question I wanted to answer when I attended the USD Cyber Law & Risk Symposium, where experts shared their insights and best practices on the topic of "Resilience by Design." In this blog post, I will summarize some key takeaways from the symposium and offer practical tips on implementing security by design in your organization. 

Brian's key insights 

The primary insight gained from the symposium is the necessity of tailoring a defensible cybersecurity framework that aligns with the specific risk tolerance of one's sector. Adequate documentation is highlighted as a cornerstone of this process – capturing written comprehensive risk assessments and cataloging the enhancements executed within an organization is critical. 

The symposium underscored the value of assimilating lessons from prevailing cyber threats and enshrining these experiences in well-documented protocols. This ensures preparedness for emerging attack vectors. 

Adherence to the NIST 'Respond' and 'Recover' guidelines was particularly stressed, focusing on recording the precise sequence of events, remedial actions undertaken following a cybersecurity incident and detailed recovery strategies. 

The symposium emphasized the importance of a well-informed disclosure process for entities like publicly traded or regulated companies, where disclosure is a mandate. It is crucial for information to ascend accurately from the technical personnel to senior management to ensure that reporting obligations to regulators or the public are met comprehensively and transparently. 

Brian's sessions of note 

Fireside Chat w/ David Hirsch, Chief of Crypto Assets & Cyber Unit, SEC Division of Enforcement 

Given active and ongoing litigation, there's confusion in the industry; David emphasized the need for disclosure policies within organizations. The new rule of 4 days to disclose via 8k starts once the material breach is discovered, not when the breach occurred. David also notes that board oversight in cyber can be a differentiator; however, if you disclose you have cyber oversight and that person leaves, you must disclose that because investors may have made decisions to invest because of better cyber oversight. 

All questions were pre-moderated, and his views were his own, not from the SEC or colleagues. 

Katherine McCarron Chief of Staff & Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC 

During this session, Katherine summarizes the FTC Safeguards Rule detailed here. Some key points from her include: 

A Qualified Individual (QI) does not have to be a high-dollar CISO, as that was the loudest complaint filed during the comment period. 

The risk assessment needs to be written, not just verbal. 

Eight items to include to help safeguard: 

  • Implement and periodically review access controls.
  • Know what you have and where you have it.
  • Encrypt customer information on your system and when it's in transit.
  • Assess your apps.
  • Implement multi-factor authentication for anyone accessing customer information on your system.
  • Dispose of customer information securely.
  • Anticipate and evaluate changes to your information system or network.
  • Maintain a log of authorized users' activity and monitor for unauthorized access.

Under the Sea of Cyber Reporting Obligations 

This panel consisted of Clayton Romans (CISA), Todd Hemmen (FBI National), Nick Arico (FBI San Diego) and Justine Phillips (Baker & McKenzie LLP). Todd has been embedded with CISA (Clayton) for six months to improve communications. With new portals being built for information sharing within the government, they believe this will have a trickle-down effect.  First, the federal government adopts this kind of communication sharing, and then the commercial market assumes it.  

The FBI used just to come in and take servers, but now they want to collaborate. They do not perform recovery efforts but will share decryption keys if they have them. Get to know your local FBI field office; San Diego happens to have the national cyber team leader in the region. More on this topic here

Nick's key insights 

In the Era of increased SEC, Federal and State Regulatory Scrutiny, CISOs must now learn to navigate legal liabilities. The forum not only heightened awareness for me and my team but also encouraged a vibrant exchange of ideas, delving into the latest cybersecurity headlines from a hands-on legal standpoint.  
My highlight of the event was the mock trial titled, "Nick's Beauty and Breach: Putting Your CISO on the Stand," which featured The Honorable Mitch Dembin, a retired Federal Magistrate judge from the US District Court of Southern California, presiding over a compelling cyber breach civil case, demonstrating the lines of questions and concerns that all CISOs should understand. Explaining complex topics such as 8 Ks, 10 Ks and D&O insurance coverage – which can help protect an organization from financial damage caused by wrongful conduct or negligence – was fun and exciting. 

The symposium was an invaluable opportunity to discuss the ever-evolving landscape of cyber law, risk management and privacy, covering crucial topics related to new federal, state and industry-specific legislation and the latest risk mitigation strategies.