By Eben Kaplan
WASHINGTON – It has been called “the most important cybersecurity case you’ve never heard of,” and now it’s getting a second life. The core issue in the dispute between the Federal Trade Commission (FTC) and Wyndham Worldwide WYN -1.4%Corporation is whether the FTC has the authority to enforce data security standards in the US commercial sector. Last April a federal judge ruled in favor of the FTC, but Wyndham has appealed. The 3rd Circuit Court of Appeals heard oral arguments earlier this month, and regardless of how that court rules, that decision is also likely to be appealed.
Until the case is decided, regulatory enforcement of cybersecurity in the United States will remain in a state of limbo. The FTC has authority under the Federal Trade Commission Act to prohibit “unfair” or “deceptive” business practices. It claims this authority extends to cybersecurity practices, and Wyndham argues the FTC is overreaching.
To date, the FTC has brought suit against some 55 companies for maintaining “unreasonable” cybersecurity practices. Yet the commission has never formally defined what constitutes “reasonable” security; and it’s not about to anytime soon. Earlier this month FTC Commissioner Julie Brill suggested that her agency would not define a comprehensive standard until the Wyndham case is resolved. In the meantime, companies must piece together a definition of reasonableness from a collection of guidance, tips and blog posts on the FTC’s website.
If the FTC ever does issue a formal standard, don’t expect a list of controls that companies should implement. Such specific guidance is apt to become obsolete as soon as it is issued. Rather, Commissioner Brill indicated that the FTC is more concerned that companies take a holistic approach to managing cyber risks—in other words, it is better to have the right risk management framework than the right security widget.
This emphasis on process is not unique. It is the same approach the US National Institute of Standards and Technology took when issuing a set of voluntary guidelines for critical infrastructure providers last year. Those guidelines, called theCybersecurity Framework, emphasize “using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.”
Another government regulator, the US Securities and Exchange Commission (SEC), last year undertook a review of cybersecurity practices among registered broker-dealers and investment advisors. The findings from that review, released last month, also appear to emphasize process over products. The SEC focused broadly on firms’ practices for identifying and addressing cyber risk, such as the use of external standards, participation in information-sharing networks or the designation of a chief information security officer.
Though companies may find the absence of specific cybersecurity standards frustrating, regulators’ apparent preference for more process-based measures is appropriate. Networks cannot be secured through box-checking exercises; cyber due diligence requires thinking more like a would-be hacker than an auditor. Most of the time, these process involve questions about corporate strategy that should ideally be addressed by an organization’s senior leaders. No matter where regulators decide to set the bar, any organization whose leaders are focused on cyber risks is likely to clear it.
Eben Kaplan is a Senior Consultant at Control Risks, the global risk consultancy.
We manage risk in the emerging markets and beyond.
Opinions expressed by Forbes Contributors are their own.
BUSINESS 329 views
In Hostile Environments, A New Weapon: Ethics
By William Daly
“Unpredictable instability is the ‘new normal.’” That was the assessment of James Clapper, US Director of National Intelligence, in Senate testimony late last month. “The year 2014 saw the highest rate of political instability since 1992,” he went on, warning that “roughly half of the world’s currently stable countries are at some risk of instability over the next two years.”
The point of Clapper’s remarks was to highlight global threats to US national security. But rising instability is a problem burdening governments and businesses alike. As governments grapple with this problem on a global level, businesses operating on the ground must place a higher premium on security policies and procedures. This is particularly true in regions already prone to upheaval or places where the rule of law shows signs of breaking down.
But ramping up security has the potential to introduce new risks; particularly if it is not done thoughtfully. Newspaper headlines abound about companies whose security practices elicit accusations of human rights abuses and strained ties with local communities. In other cases, businesses outsource to security contractors and lose oversight. Security contractors have misappropriated their clients’ assets to commit financial crimes or buy into a system of corruption. Poorly considered security practices damage a company’s reputation—and ultimately its bottom line.
So how can companies address growing security risks without opening Pandora’s Box? One approach involves incorporating human rights into any security-related decisions. This includes preventing harm to communities, respecting the dignity of local people, and implementing a thoughtful community engagement model in light of security concerns. To this end, many businesses have signed on to promote the Voluntary Principles on Security and Human Rights. Established in 2000, these are a set of principles designed to guide companies in maintaining the safety and security of their operations within a functioning framework that encourages respect for human rights. Drafted by prominent extractive industry companies, international NGOs and the US and UK governments, the principles are a multi-stakeholder initiative. Some companies have voluntarily adopted these guidelines in response to international concern that the security priorities and plans around local investments and operations had, in some locations, the potential to mistreat local people and communities.
There are several ways companies have incorporated the principles into their security plans. A well-known oil company has taken these recommendations and put the human rights language directly into their contracts with private security providers. Key clauses include pledges to carry out extensive background checks on all personnel, with an eye to past human right violations. In addition, the oil company makes clear in their contracts the conduct of employees has to be in line with local laws and the Voluntary Principles on Security and Human Rights. Violations of the contract lead to immediate dismissal.
Another energy company, which happens to be a founding member of the principles, prides itself on the use of community engagement strategy to stem security concerns. The company holds regular meetings with public officials and local security forces to discuss ongoing challenges related to security and community relations. Via community engagement officers, third party advisors, and cultivating a culture of engagement, the company has succeeded in creating the channels for two-way dialogue on security concerns. These efforts have been particularly concentrated at sites with a history of violence and regional conflict. This work also ensures that the company can stay in touch with authorities while also using its influence to promote security and human rights principles.
Though there are plenty of examples of companies using the Voluntary Principles to great effect, the principles themselves are now a decade and a half old. Twitter and the iPhone—tools that have amplified social risk in many places—were still years off. And while many organizations have voluntarily adopted these principles, some of have been stung by their failure to live up to the ideals. It may well be time to revisit the Voluntary Principles in light of shifting risks and new geopolitical realities. Even if this doesn’t happen at the same multi-lateral level as it did in 2000, companies using these principles should reassess their own efforts to make sure they remain adequate.
William Daly is Managing Director at Control Risks, the global risk consultancy