Cybersecurity Act of 2015

Author: Scott McAuliffe, CPA, CISA, CFE

As I awake each day and read through the morning headlines, it seems a day does not pass without a cybersecurity incident being mentioned. In December, Congress passed the Cybersecurity Act of 2015 . The goal of the Act is to encourage companies and the U.S. government to share information on cybersecurity threats. In reading through the Act, the requirements that could have the biggest impact to private companies, including small businesses are:

• The bill requires the Director of National Intelligence and the Departments of Homeland Security, Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, to include developing cybersecurity best practices with attention to the challenges faced by small businesses.

Take Away: Many small- to mid-size companies struggle to determine the resources that need to be deployed to deal with cybersecurity risks. With this requirement, hopefully, a cost effective, best practices framework will be developed that small business can utilize to determine and prioritize the resources that should be implemented to protect against cybersecurity risks.

• To detect, prevent, or mitigate cybersecurity threats or security vulnerabilities, private entities may monitor and operate defensive measures on: (1) their own information systems; and (2) with written consent, the information systems of other private or government entities. A “defensive measure” is defined as an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on or processed by, or that is transiting, an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. In addition, liability protections are provided to entities that voluntarily share and receive cyber threat indicators and defensive measures with other entities or the government.

NOTE: On February 16, 2016, the Department of Homeland Security and the Department of Justice issued Guidance to private companies for sharing cyber threat indicators and defensive measures. The Guidance provides companies with examples of cyber threat indicators and defensive measures, as well as examples of protected information that should be removed prior to sharing.

Take Away: The bill is trying to incentivize companies to share cybersecurity threats by offering protection from violating anti-trust laws, surrendering trade secrets, or proprietary information. However, companies will need to be diligent and review the information that is being shared to identify personal information that should be removed prior to sharing.

• The Department of Health and Human Services must convene a task force to: (1) plan a single system for the federal government to share intelligence regarding cybersecurity threats to the health care industry, and (2) recommend protections for networked medical devices and electronic health records. HHS must collaborate with DHS, health care industry stakeholders, NIST, and other entities to establish a single, voluntary, national, health-specific cybersecurity framework with a common set of standards and security practices as a resource for cost-effectively reducing cybersecurity risks for health care organizations.

Take Away: Healthcare companies can expect more regulations, increasing their requirements for protecting personal health information.

Evaluate Your Company’s Cybersecurity Risks

As with most bills, it will take awhile for all of the details (e.g., best practices) to be developed and approved. In the meantime, for companies that are trying to evaluate their cybersecurity risks, a good place to start is assessing the strength of their controls in following areas:

• Performance of periodic vulnerability assessments
• Ensuring patches and anti-virus software are up-to-date
• Network perimeter security, including real time monitoring
• Incident response plans
• Back up and recovery
• Business continuity and disaster recovery
• Change management
• Engaging and monitoring IT outsourcers
• Data classification and encryption
• Mobile device security management

Questions on keeping your business safe from security breaches? We can help. Contact your Keiter representative or 804.747.0000 | email.

Read more of our insights on cybersecurity and data breaches.

……………………….

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, information technology audits, Service Organization Control (SOC) audits, and Sarbanes-Oxley assistance. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. Read more of Scott’s insights on our blog.