EP 4: The “Reasonable Cybersecurity” Standard
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
July 10, 2018
Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about the emerging “Reasonable Cybersecurity” standard: Where it’s coming from and what how it should affect the decisions made by cyber risk managers.
Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.
Jake Bernstein: And I'm Jake Bernstein, cyber security council at the law firm of Newman Du Wors.
Kip Boyle: And this is the show where we help you become a better cyber risk manager.
Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities.
Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our Cyber Risk Managed Program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.
Jake, what are we going to talk about today?
Jake Bernstein: Hi Kip. Today, we're going to talk about reasonable cybersecurity, the standard of, and where that comes from and how that relates to practicing cybersecurity, as opposed to simply trying to purchase it once.
Kip Boyle: Okay. So reasonable cybersecurity. That's an interesting phrase. Is that the same as perfect cybersecurity by any chance?
Jake Bernstein: It is definitely only not the same as perfect cybersecurity. There really is no such thing as perfect cybersecurity, certainly from a technical standpoint, you would agree, correct, that it's effectively impossible to do that.
Kip Boyle: Right because the nature of the threat these days is very intense. And we just see example after example of organizations that are spending quite a bit on cyber risk management. And yet they continue to get hacked.
Jake Bernstein: Right. So what reasonable really is a standard that is doable. And it's going to come down to your size, your sophistication, the amount of resources you have. It's really the same thing as the famous reasonable man that you hear about in car accident cases, things like that. It's a legal standard and that's what we're going to talk about today,
Kip Boyle: Right. Okay. So this is not a technological standard. It's a legal standard. Okay.
Jake Bernstein: Correct.
Kip Boyle: So that helps me orient my thinking on this. So you just mentioned something really interesting, a reasonable man standard. What is that for people who aren't familiar with that?
Jake Bernstein: So generally speaking, if you're in a non-criminal lawsuit, the jury at some point is going to be asked to consider something from the perspective of the reasonable man. And that is considered to be a person who is acting with the information that the jurors been given and is assumed to be acting reasonably. And it's a little bit of a tautology. The reasonable man is someone who acts reasonably, but the idea is that someone who acts rationally under the circumstances.
Kip Boyle: Okay. And so we don't have a dictionary definition of what reasonableness is. It sounds like what you're saying is it's very context specific. Is that right?
Jake Bernstein: It's pretty much the stand in for context specific in the legal area, yes.
Kip Boyle: I see. Okay boy, this is really interesting, this whole idea of reasonableness. All right, so that's kind of where it comes from legally speaking, but in terms of cybersecurity and cyber risk, who's defining what's reasonable?
Jake Bernstein: So that's an interesting question. And the answer actually might surprise you. It's not just government regulators, like the Federal Trade Commission who definitely plays a part in defining reasonable cybersecurity. But it's the sum totality of the cases and the jury findings and the facts and circumstances within each case. It's all also going to be defined within specific contracts between business partners, business associates, whether it's HIPAA, whether it's simply an NDA, whether it's an affiliate agreement or a supply chain or vendor contract, you'll find definitions of reasonableness or the term reasonable throughout all of these different areas. And so the answer to your question is that everyone defines what reasonable cybersecurity is and it's a moving target. So something that was reasonable cybersecurity three years ago is not going to be reasonable cybersecurity now.
Kip Boyle: Okay. I can already imagine executives and managers and IT security people already probably saying in response to your description, oh, that's so annoying and so nebulous.
Jake Bernstein: Vague.
Kip Boyle: Difficult, vague, and how in the world do I deal with that? Because most folks are used to receiving a checklist. So they get either a law or a regulation or something like that. And they convert it into a checklist and they say, well, great. I'm just going to go down this list. I'm going to do this stuff. And then I'm going to be reasonable. I can just imagine that's what people are hungry for. What do you say to those kinds of people who want that?
Jake Bernstein: Well, I would say that you can definitely use all of those tools to your advantage when you're coming up with your own reasonable cybersecurity program. But ultimately, the choice to use reasonableness in this situation does demand a very constant fact specific inquiry into your own practices. I think another word for it would be mindful. This is about mindful cybersecurity and good cyber hygiene. It's something that you can point to and say, look, we did what we could and it's about whether or not you ...
Perhaps a way to think about it is the famous coach, John Wooden from the UCLA days. He defined success as doing your best, your best. Not competing with someone else. And you can think of reasonable cybersecurity, something like that. Did you do the best that you could do? We're not going to ask you to spend all of your money on cybersecurity. Certainly that's not reasonable, it's not rational, but it's also not going to be enough if you are a reasonably, sorry. Wrong choice of word. If you're a mid-size company, maybe you have revenues of $200 million a year, it's not going to be reasonable to install a firewall and say I'm done. So it really varies. And there are tools, and if you like checklists, checklists can help, but there only a component of a reasonable cybersecurity program.
Kip Boyle: All right. So we're not saying that you have to get rid of your checklists and you just have to feel your way along. We're not saying that at all. But what we are saying is that you've got to think differently about cyber risk management. And it sounds like what you're saying is sort of, don't think of it as well, I did my checklist, and I did it once, or I did it every quarter and now I'm okay. It sounds like you're saying you have to do your best every single day in order to be considered reasonable. Is that a good way to think of it?
Jake Bernstein: I think that it is a good way to think about it. I think that there's a couple of different sets of words we can use to describe reasonableness. For example, let's just talk about what the FTC says. All right, so the Federal Trade Commission says that every business should take reasonable security measures that are appropriate for an entity of similar size, sophistication, and resources, given the type, amount and sensitivity of data collected. So what you've got there is you've got two moving variables. You've got the entity itself, whether it's a big company or a small company, and then you have the data that you're collecting. And depending upon the size of your entity and the sensitivity of that data, it really begins to vary. And you can tell that, for example, we've actually dictated as a society, at least in the United States, that personal health information is extremely important. And we're not going to leave the security of that to just this kind of unclear, vague, reasonable standard. Instead, we're going to implement HIPAA and the HIPAA security rule, and there are massive fines and penalties.
Kip Boyle: Right. Okay. Interesting. All right, so we've got these two dimensional model put forward by the Federal Training Commission. Let me just see if I can recap what you said. So we've got the size of your organization as one variable. Then the other variable is type of data that you're collecting. Is that right?
Jake Bernstein: Correct.
Kip Boyle: All right. So the FTC, so I'm aware that the FTC has done a lot in the area of cybersecurity and that they are saying and publishing quite a bit on this whole idea of reasonableness. And you mentioned the FTC a moment ago. Could you explain a little bit more about what is FTC doing and saying about reasonableness?
Jake Bernstein: Sure. So people should be familiar with the NIST Cybersecurity Framework or NIST CSF. The reason for that is that the FTC has publicly stated in some blog posts that the NIST Cybersecurity Framework is a good model for creating a reasonable cybersecurity program for a given company. The nature of the framework is such that it's not a checklist. So you can't quote be compliant with the NIST Cybersecurity Framework. That sentence doesn't even make sense. It does not compute. And that's because the framework is a set of broad principles. It's a skeleton on which you build a much more complete cybersecurity program for your company. And the NIST based off of a lot of practitioners and experience, it includes concepts taken from older standards, like the ISO 27,001, 27,002. It includes concepts from the CSC Top 20, OWASP Top 10, all of that is kind of within the NIST CSF. And if you can do something with your cybersecurity program that honors the five areas, focus areas of the NIST CSF, then you can start to get something going with a reasonable cybersecurity program.
Kip Boyle: Okay. So there's a lot of acronyms in what you just said. I just want to break down a couple of them. So NIST is the National Institute of Standards and Technology. They're a department of the US government, and if I'm not mistaken, I believe they're a part of the Department of Commerce, which is interesting. They're not part of the DOD or law enforcement. So that's one thing that I wanted to clarify. The other thing I wanted to clarify is you also said kind of how the standard got developed, and you said they borrowed from different other standards and you named a whole bunch of them. But without going into those, I just want to say that those standards were preexisting cybersecurity standards, many of them were IT security focused. And so those were consulted as this new Cybersecurity Framework was created. Am I getting that right?
Jake Bernstein: Yeah, that's correct. That's what those are all about. They're various attempts over the years to systematize a cybersecurity set of principles. Some are very specific, like the OWASP Top 10 are specifically about web app vulnerabilities and they change as you might expect. The CSC Top 20 is a set of critical security controls. That's what CSC stands for. And those also can change over time and that's kind of the idea there.
Kip Boyle: Right. Okay. But the Cybersecurity Framework is not that detailed, but it drew from a lot of detailed work that other people had done. And one thing I know about the NIST CSF, which I think is very encouraging is it was created not by the NIST staffers. So the government people at NIST didn't sit down and say, well, let's write this thing. They actually brought in experts from private industry and said what do you folks believe we should have in this framework? And so I think that's one of the things that makes it different, makes it really interesting to me. And I think makes it particularly useful in the situation that we're discussing here. Now, you were talking about five functions, right?
Jake Bernstein: Correct.
Kip Boyle: What are those five functions?
Jake Bernstein: So they are identify, detect, protect, respond, and recover.
Kip Boyle: Okay. And so those five functions are they ... What's the relationship between those five?
Jake Bernstein: Well, each of them is a different phase, if you will, of the life cycle of a cyber attack. Or another way to think about it is what you have to do in order to prevent cyber attacks from causing the most damage to you. And if you think about it, it follows that in a very logical manner. Obviously you have to identify a problem. That is the very first thing that you must do. Once you've identified potential problems, you can move to the next step, which is detecting them. After you've identified them.
Kip Boyle: Well, I think it's protect. I think protect is the next one. You identify assets and risks and then you protect them. So you need to put some energy into that and then what?
Jake Bernstein: So then you're moving in to the protect phase, which is what you're looking for in terms of the, how am I going to see if someone is attacking systems? Or how do I know if my protections are working? Because you might have these great protections in mind, you might have implemented them, but if you don't have any mechanism to detect these problems, then there's really no way to know.
Kip Boyle: Okay. Yeah. That makes sense. And that really all pencils with the idea of physical security. So you could say, well, I've got this building, that's my asset. And people could break into it. So that's a risk. So I'm going to build a tall fence around it. And so that's how you protect it. And then if you stopped at that point and you didn't do any detective activity, then somebody could run their truck into the fence and then break into the building. But you wouldn't know because it's the middle of the night say. And without some kind of a camera system or some kind of a burglar alarm notifying you that somebody's actually breached your fence. So that's why saying that it's not enough to just identify your assets and protect them. You actually have to know when somebody's making a move on them.
Jake Bernstein: Exactly. Which really brings you to the next thing. If you have a camera system that shows, or detects someone driving a truck into your fence, you better respond. And that is the next step in the CSF is responded. And in a nonphysical realm, that's going to mean, depending upon the situation your response might be shutting off the systems that have been infected by malware, quarantining them, cleaning them off, things like that. And then the last stage of course is recover that's when you complete the kind of cleansing of the systems that were affected. And then you move ahead into, then basically start back over where you're going to try to identify, protect, detect, and respond again.
Kip Boyle: Right. Okay. So that's a great summary of the life cycle of cyber risk management. And again, you want to identify, protect, you want to detect, you want to respond and you want to recover. What's interesting about the NIST Cybersecurity Framework is it's not focused on the technological aspects of that. So I remember in there, they talk about the need to have a, in your response capability, you need to have experts available to help you manage different aspects of responding. So notifying, for example, conduct notifications, and have to have legal counsel, for example. So I think that's one thing that distinguishes the NIST Cybersecurity Framework from some of the other sources that it drew on is that it's not just focused on IT. It's actually focused on a much broader landscape.
Jake Bernstein: It is. And I think you see that in the identify domain more than anywhere else, in some ways. Identify, included within the identify domain, according to the Federal Trade Commission, at least is a lot of administrative procedural concepts, a lot of management focused areas rather than simply IT based. For example, having a cybersecurity incident response plan is considered a component of identify. Although obviously, you can see how it involves almost all the functions. But the administrative component of simply creating that plan is part of the identify, identifying all of your assets, which goes beyond just IT. All of that falls under identifying, and you can see how it is not necessarily linked to technology at all.
Kip Boyle: Right. Right. And in the recovery function, there's also a part in there where it talks about public relation, the idea that if you do suffer a data breach, or you have some kind of a public cyber security event that you have prepared for that, by getting knowledgeable people to help management gain some kind of footing. Because if the press breaks a story that you've suffered a cyber risk event, you want to be out there, you want your company, you want your brand represented in that conversation. And that really doesn't have anything to do with security or technology at all.
Jake Bernstein: It's true. It doesn't and that's what makes the CSF both very useful and also frustrating, I think to certain people who are, when they try to implement, they go and they've heard about the CSF, NIST is a well recognized body in the US. Certainly it has come a long way in a relatively short period of time, the Cybersecurity Framework. But once you dig into it, if you're a CIO or, or really just more likely to initially be an IT manager of some kind, you're not going to find a lot of help within the CSF itself.
Kip Boyle: Well not if you just want to do something IT focused.
Jake Bernstein: That's correct. Yes. It's not going to help you with that. And more importantly, sending it to IT is not going to do enough for your company either.
Kip Boyle: Right. Right. I mean, so another thing we talk about with our customers is contracts. They're getting contracts from their customers. They are signing contracts with vendors and you need financial firewalls in those contracts, just as much as you need firewalls on your data network. Because if a data breach does happen, then that could result in some very serious financial breaches. And you look at contracts all day long so I would imagine you're really sensitized to this.
Jake Bernstein: Yeah. It's interesting. In the last really couple of months, I've started to see a lot more security focused clauses in really relatively normal, otherwise standard business contracts. I do a lot of internet affiliate marketing agreements, vendor contracts, and simple non-disclosure agreements. And the NDA is ... People sign those all the time, oftentimes without even pausing to think about it. And if you think about it, the NDA is the perfect example of the type of contract where you kind of have to add data security standards to it. Because if I sign an NDA and then I get hacked, the first question that the other party who signed it is going to want to know is, well, what did you do to stop that? And the simple reality is that if you didn't take reasonable cybersecurity measures, forget the FTC, forget HIPAA. You've probably just breached your contract and that can have plenty of penalty all on its own.
Kip Boyle: Right. Right. So thus the need for good scrutiny over the contracts that you do sign, and then also language to indemnify you in the case of a contract breach.
Jake Bernstein: Well yes, but I think my point is more that the standard for reasonable cybersecurity is going to be imposed on you, whether you're a regulated industry or not, whether you want it to be or not. You won't be able to sign an NDA without having to do reasonable cybersecurity. You won't able to sign a vendor contract. If you want business in 2018 and moving forward, you will have to have some kind of cybersecurity program in mind. And I think that a really good way of thinking about it, a goal, if you will, is these three words that were spoken by one of the HIPAA regulators and what they said was they're looking for systematic, comprehensive and structured cybersecurity programs.
Kip Boyle: Systematic, comprehensive, and structured.
Jake Bernstein: Yeah. And you can really think of that as three words to describe reasonableness. If you think about it, there's really no way that a non-comprehensive or unstructured, or completely de-systematized program is going to be reasonable. Those three words are kind of part and parcel of the concept of a functioning cybersecurity program.
Kip Boyle: Right. Right. Okay. Interesting. So does the reasonable cybersecurity standard come into play anywhere else?
Jake Bernstein: In what sense? I mean, I think the reasonable cybersecurity standard is going to come into play throughout the contracts and the other areas, but I'm ...
Kip Boyle: Okay. Okay. So I think the point here that we're making is it's not just an IT issue. It's something that's cutting across all different areas of your business.
Jake Bernstein: It is.
Kip Boyle: So you've got your management functions, which are the contracts, and you've got your technological functions and your process areas, and then your people areas too, which we really haven't talked too much about now. But most of the errors, or I should say most of the data breaches that we are seeing that are become public, seem to, a great majority of them are the result of human error. So training people to reduce errors is probably another really important aspect of reasonableness. Would you say so?
Jake Bernstein: Yes. Employee training and not just employee training, but also testing them. It's at this point, essentially inexcusable to not at least do an annual, if not quarterly, phishing attack, simulated phishing attack on your organization to test your people. It also helps them learn. I mean, that's all part of the training and staying on top of things. Phishing emails from 5, 10 years ago were easily spotted by almost anybody. They were often written in poor English. They had obvious mistakes. They just don't look right. By contrast phishing emails today, they're almost indistinguishable from a legitimate email. It can be very difficult to spot the difference even for a trained professional.
Kip Boyle: Right. That's a great point. So we've got people attacking us, they're getting better all the time and they are able to do it in a way that if we're not training people to keep them up with the latest ways that they're being attacked, then well, that's unreasonable, isn't it?
Jake Bernstein: It is. And that actually brings me to another point I want to make sure I make, which is the difference between practicing cybersecurity and for lack of a better word, I'll just say purchasing it or attempting to impose it, maybe in a compliance regime where you get an audit or something. And if you think about the way that a data breach could end up with a lawsuit, you're going to have to prove in court to a jury that you took reasonable cybersecurity measures. How are you going to do that? I think this is a really important question to ask yourself, how am I going to do that? And you need to talk to an experienced cybersecurity council, preferably someone with litigation experience. If not, you can talk to really almost any litigator. Ask, how am I going to prove something in court? And you're going to get a long answer. But the key here is to understand that you're going to be dissected from the top down by the opposing party and ...
Kip Boyle: It doesn't sound fun.
Jake Bernstein: It's not fun. It's not a fun thing. And they're going to look at your obvious things like they're going to ask for copies of internal documents, policies, procedures, manuals, employee training, but they're not going to stop there. It's not that difficult to produce a document, even a long one, and then store it on the company server or include it in a company handbook. They're going to then begin to ask individual employees, do you follow this? How do you follow this? When do you follow this? Give me examples of when you follow this. This policy looks like it's going to generate records, give me those records. So this is what I mean by practicing cybersecurity at a reasonable standard. You can't simply paper over this. Maybe that's a good way of saying it. You cannot paper over cybersecurity. That will come out very quickly in an actual litigation lawsuit. And so though audits and checklists have their place, if you only do an annual checklist style audit, then you better be certain that you're actually doing that the entire year.
Kip Boyle: Right. And so that gets us back to that thing that we opened up with where we said that checklists are fine. They're good tools, but they're not the end that we're trying to you achieve here. We have to put our best foot forward every single day.
Jake Bernstein: That's correct. And that's a good way to think about it. If you can do the checklist every single day and keep that in mind throughout the entire year, rather than just during the audit itself, then you will have come a long way toward having that systematic, comprehensive and structured cybersecurity program, which hopefully a jury or judge will consider reasonable.
Kip Boyle: Right. Okay. All right. Well, thanks Jake. That just about wraps it up. So today we've been talking with Jake Bernstein, an attorney at the law firm, Newman Du Wors here in Seattle. Thanks everybody for joining us today on the Cyber Risk Management Podcast.
Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.
Kip Boyle: And management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, that please contact us and consider becoming a member of our Cyber Risk Managed Program.
Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.