This panel session discusses the challenges associated with the increased (and increasing) legislative and regulatory landscape of cyber incident response. Throughout this session domain experts from law, technology, cyber response management, and enterprise security backgrounds will be available to take live questions from attendees as it relates to these challenges. Main webinar take-aways include:
- A better understanding of the current legal and regulatory landscape and requirements as it relates to cyber incident response.
- Recommendations from experts on what organizations in regulated industries can do to reduce the risk of non-compliance across the people, process, and technology aspects of cyber response
- Solutions to common problems experienced by CISOs, GRC Officers, SOC managers, and Security Analysts due to increased compliance requirements in cyber response.
Session Speakers:
Vaughan Shanks - CEO, Cydarm
Keith Moulsdale - Technology, Cybersecurity & IP Law Partner, Whiteford, Taylor & Preston
Samrah Kazmi - Chief Innovation Officer, RESRG
Kelly McCracken - SVP, Detection & Response, Salesforce
This session originally aired: CS Hub Threat Detection and Response Summit, February 21st, 2023
Text Version:
Host: Hello, and welcome back to Cybersecurity Hub Threat Detection and Response Conference. In this webinar we will discuss the challenges associated with the increased and increasing legislative and regulatory landscape for cybersecurity incident response.
So I would like to introduce our panelists. We've got Vaughan Shanks, CEO at Cydarm, Keith Moulsdale, technology, cybersecurity IP law partner at Whiteford, Taylor and Preston. We've got Samrah Kamzi, chief innovation officer at RESRG, and Kelly McCracken as senior vice president Detection and Response at Salesforce.
And I would like to start with a question to Keith. So what are the current regulations relating to cyber incident response and what changes are coming?
Keith Moulsdale (Technology, Cybersecurity & IP Law Partner - Whiteford, Taylor & Preston): Great question. Well, generally speaking, current incident response regulations focus on three things, conducting a good faith investigation, remediating the incident and mitigating risks, and thirdly, if the incident rises to a certain risk threshold, reporting the incident to affected individuals, government agencies, or credit reporting agencies. Notably those notices that go out though aren't protected from disclosure or use in litigation.
If a business or organization happens to be in a country where privacy and cyber are regulated in a comprehensive manner across businesses and organizations, regardless of their size, like in the EU under GDPR, complying with incident response obligations tends to be more straightforward and consistent because their comprehensive definitions of the types of affected data and systems, and there's more or less a single deadline for reporting. So they main uncertainty for businesses tends to be figuring out if the incident is reportable. But in countries like the United States where there isn't an omnibus federal cyber law that applies equally to everyone, and instead, there's a collection of three things, there are federal laws that apply on an industry-specific basis like HIPAA, Gramm-Leach-Bliley and COPPA, and then 50 plus state laws that aren't industry-specific and a growing number of state laws that are industry-specific, it's kind of a mess. It's like a Rubik's Cube that where the solution depends on where your organization is, the geographic scope, the type of industry, whether your clients are commercial or governmental or consumers, the type of data you have, and whether you're a controller or a processor. So this Rubik's Cube is really company-specific and difficult to solve.
What's more in the US, there's an increasing number of differences in incident response that organizations in that difficult situation have to contend with. So for example, traditionally, personal information that would trigger a notice was defined pretty narrowly, just to be a name and a specific piece of sensitive information like a bank account number or some health information. But now some states like California and Virginia and Colorado are expanding their definition of personal data much more broadly like they do in Europe. Also, the scope of the incident and the notice triggers is changing all at the same time. So again, traditionally, the notice triggers related only to personal information, but increasingly, notice triggers relate to broader security issues like the integrity of data and the impact on systems. And a couple of good examples of that are New York Cybersecurity Regulation, which requires affected financial institutions to provide notice when there's not just unauthorized access to personal information, but disruption or misuse of an information system. And there's a similar law in the insurance sector, which is starting to spread and has been adopted in about 20 states. There's also different risks tests.
So in some states there's an analysis where a business who's an affected business can make a risk analysis on its own, but then other states, they have to do that risk analysis in consultation with law enforcement agencies. And lastly, in terms of complexity, there's different reporting timeframes. It used to be that all the states said and most federal law said, "Hey, you need to provide notice within, say, 30 days or a reasonable amount of time." But there's an increasing change towards shorter and shorter times. Like 24 hours if it's a state agency in Idaho, and 72 hours in New York under the cybersecurity law, 10 days in Puerto Rico for the attorney general and so on. And there are even some states where the attorney general has to be informed before affected individuals. But that's only three out of 50 states. So it's really complex.
The second part of your question is what are changes are coming. And at the state level, I'm expecting constant changes as it's been the last few years. So I think states are gonna keep passing more complex laws that create more conflict. There's also a federal law on the table that might possibly create some more certainty and preempt some of these state laws. But who knows whether that's gonna happen, frankly, because a law like that's been pending for years. And the last thing I wanna say in terms of what's coming, what's really interesting to me is CIRCIA or CIRCIA, however you want to pronounce it, which is the Cyber Incident Reporting for Critical Infrastructure Act. That was signed this past year, roughly a year ago. And it applies to 16 categories of critical infrastructure. But what's interesting about it is it applies to industries which are already heavily regulated, like financial institutions and healthcare, and then some others which are kind of obvious, like nuclear reactors and dams and government officials, sorry, facilities, but then it extends to areas which aren't as obvious like communications, information, technology, food, agriculture, and waste transportation systems.
But in terms of what is gonna change is that, importantly is that notice to the government is gonna have to be provided within 72 hours. And again, there's a shift from just providing notice that there's been affected data, personal information to a shift where there's an impact on safety or resiliency of operational systems or disruptions of critical business or industrial operations. There's also a notice of ransomware payments within 72 hours. And I think a real important difference is traditionally, when business and organizations notify a government or affected individuals, they're very nervous about what is in the notice because those notices become public. Whereas what's interesting about CIRCIA is that the notices to the government are actually exempt from freedom of information disclosures and they can't be used to trigger litigation except in certain narrow circumstances. So it actually frees up the affected organization to I guess be more honest about what is in the disclosure. So in a nutshell, that's it.
Host: Right. Thanks, Keith. Samrah, does cyber incident response legislation reduce cyber risk?
Samrah Kamzi (Chief Innovation and Risk Officer - RESRG): So, yes, the short answer is yes, but I would say it does not eliminate the risk. It does definitely reduce the risk. So one of the things, I mean, some of the things that it is doing the legislation and evolving and emerging regulations are doing, it's actually forcing organizations to actually look at their baseline for detection and response and reporting. So that's one of the most important things that we're seeing. And then that helps them identify their gaps, and it helps them sort of fill in those gaps, whether it's internally through board education, through other types of internal solutions or through external software solutions that they would be implementing.
So I think that is one of the biggest positives that's coming out of it, that there is this holistic review of what is happening within the organization, what the organization was already doing, and then moving to a collaborative state and actually educating not just... So previously, this was really the responsibility of IT or the security organization, but now it's moving pretty much across the organization and especially, you know, moving to the board level, so, and educating the board that it's a very big buy-in, but also a very big support for the organization as to how robust these measures should be. So definitely this is going to create a lot of transparency across the organization.
It will also make the organization more agile and more proactive in managing these threats, which obviously is going to mitigate and reduce the risk. It's definitely not going to eliminate because, you know, there's this saying that criminals are like at least two steps ahead of us, and when it comes to cyber criminals they're usually like 10 steps ahead of the defense. So I don't believe that it's going to completely eliminate the risk, but definitely it may build a more robust security posture within the organization.
Host: Right. That's interesting. Kelly, what are the biggest challenges posed by the increased legislation in cyber incident response?
Kelly McCracken (SVP, Detection & Response - Salesforce): Yeah, as Keith stated, one of the hardest pieces is really being able to determine if the incident is reportable. Often we don't know right away when the incident is detected. And with all the regulations being slightly different there, it's really causing there to be these snowflakes, and it's putting an operational burden on the companies to determine if they're complying with all the regulations appropriately. We need to have more alignment on reporting requirements and keep it from really distracting the teams from doing their... The job that they're there to do is to reduce the impact as quickly as possible of that incident on the organization and on their customers.
We need to have alignment regarding the thresholds for reporting, the timeframes for reporting, making it reasonable. You know, asking a team to report within 24 hours or an hour is really distracting because they start pivoting and trying to really respond to reporting that regulation versus investigating and trying to contain that incident as quickly as possible. We need to keep in mind the follow up timeframes. A lot of these regulations are saying, you know, report within the first 24 hours and then, you know, every 48 hours from then. That also is putting a burden on the team. Again, you're focusing more on reporting versus responding. The details of what need to be reported. Some regulations require one list and another regulation requires another list, which makes it very difficult to keep it all straight. And then the methods of reporting. When India came out with their regulation last spring, I think the regulation was requiring you to report logs via a fax machine. Well, I mean, for us at Salesforce, to print out logs and fax it, we'll be faxing all day long. So we also need to think about the global companies all over the world.
An incident that impacts a company that is global require multiple reports to multiple regulators all asking for the different information. And it really is pivoting, as I said, away from us investigating and scoping and containing that incident as fast as possible. And instead we're focused on trying to check all the boxes of the regulations. The goal of the regulation should be to ensure we are giving the response teams the time and space to investigate, and contain the incidents as quickly as possible, and not to distract away from that. Many of the regulatory bodies that are asking for this information, they're not going to be able to do anything with that information that's reported to them within 24 hours of incident detection. All they're being told is that there's something that's happened, so we should think about the timeframes and give the teams enough time to first focus on containing, investigating and containing, and then focus on the reporting to the regulators.
Host: Right.
Samrah: Okay. Can I just add something? I'm sorry, I just wanted-
Host: Yeah, absolutely.
Samrah: to add because there was, from a risk perspective, over-reporting can also be detrimental. So, you know, depending on what you're disclosing and if you end up disclosing your intellectual property, or, you know, even a cyber defense posture, you are giving a lot of information to the hackers and it could compromise your posture. So that is also very important, just finding that balance of what to report and how much to report. Sorry, I just wanted to make sure that I put that in.
Kelly: That's exactly right. And if you're reporting before you're containing or if you don't know how the threat actor got into your environment in the first place, you really are tipping your hand to the threat actor and making the game much harder.
Host: Great. Thanks for your comments. And then a question for Vaughan. How have increased regulations changed what organizations are looking for in cybersecurity software?
Dr. Vaughan Shanks (CEO - Cydarm Technologies): Yeah, so I think if we look at the direction regulations are going, there's a big shift from compliance related regulations towards regulations that now also govern risk related activities. So previously when we think about regulations, you know, you think about certifications like PCI DSS, SOC2, FedRAMP, you know, ISM over in the part of the world where I'm from, ISO 27001. So a lot of these standards that govern really how you manage your control posture. And really, risk management was, and there's often that risk versus compliance debate about does compliance really help with risk?
I think now there's a more explicit focus on risk, and so you went from having these platforms where you can manage all these compliance check boxes and make sure you've got the right key lengths and that you've got the appropriate, you know, patching schedules and all of that. And you're moving from that towards more examining how your processes are organized and whether you can respond in a timely fashion, as others have mentioned. And I think there's really a burden now, not just on having an incident response plan. That's often a mandatory part of a lot of these regulations. You must have an incident response plan, but the next question is, are you using it? You know, is it a PDF that sits in a shared drive somewhere gathering dusts? And in theory, we're ready if the worst happens, but can we show that we're regularly testing the incident response plan? Can we show the records of going through tabletop exercises? When we have an incident, do we have a log that shows we followed our own incident response plan? And I think that is changing what the market is looking for in terms of cybersecurity software.
Host: Right. And would anyone else like to add anything? Maybe Samrah?
Samrah: Yeah. I mean, I think one of the, and Vaughan actually touched on most of it, and especially one of the things in there is like the audit logs or the time stamping of what steps have been taken and when incidents were recorded and how they were responded to. Because right now, one of the biggest things is transparency from the regulator side. And if you have a solution or if you have a process that provides that transparency from an end-to-end perspective, that is one of the most important things that organizations are looking for.
And also, you know, when it comes to like point solutions, I think that is pretty much not something that is previously that is all we had, but now we've got a lot of collaborative tools and end-to-end solutions for the most part. And that is also quite attractive to, especially I come from the financial services industry, which is highly regulated. So for them, that is definitely one of the most important aspects.
Host: Right. And, Keith, I have a question for you. So what are the main concerns you're hearing as a result of this increased legislation?
Keith: Well, I think Kelly really hit on a lot of these points really well earlier. I think the big picture is that, you know, there's a real gap between the ivory tower of regulations and what's actually happening in the trenches in an organization during an incident. And so, one Kelly hit on, which is keeping up and managing the differences between, especially if you're a multinational, keeping up with the state, the federal, the foreign incident response requirements, juggling them. I think Kelly said it's absolutely right, it's a huge distraction. And the reality is in more than 90% of the incidents I've been involved in, it's nearly impossible to get really manageable, meaningful information out the door in 24 hours. Because incident response is a complex process. There usually isn't, oh, an obvious answer. You've gotta figure out. There has to be forensics and diligence and discussions internally. And usually when you report something that quickly, it's frankly wrong. So I think that's one of the problems.
Another is, and that ties into, so there's not only keeping up, but the reasonableness of the notice requirements. I think measuring them in terms of hours rather than days, you know, sounds great as legislator, but it's just not practical. The third I'd say is understanding where to draw the line on reportable systems incidents. So these new laws like CIRCIA are saying okay, not only are incidents reportable when they affect personal information data of individuals, but also if they, you know, may interrupt systems, even when they're not successful. The challenge is, I mean, and all the folks on here will know that, you know, systems, especially, like large financial institutions are hit thousands and thousands of times a day with unsuccessful incidents. So understanding where you draw the line between an unsuccessful incident and one that needs to be reported is super important.
And lastly, I'd say, and this is probably an issue for Kelly in particular, you know, who works for Salesforce who've got clients all around the world, if Salesforce is providing its services to folks in the critical infrastructure world, how much of those new laws under CIRCIA will flow down to vendors like Salesforce? And so that becomes a huge burden, I think, for vendors, especially if it's a vendor that's not in an industry-specific business and are providing services across the board like Kelly's.
Host: Right. And, Samrah, are there any technological innovations that you're seeing in response to increasing regulatory compliance requirements?
Samrah: Yeah. So like I said, the rise of the collaborative tools, that's definitely one of them. You know, the other aspect is the supply chain, and basically, Keith mentioned, you know, talking about the vendor, so that supply chain or third-party risk management solutions that help mitigate cyber incidents. And especially when it comes to frameworks like Zero Trust, which is, again, it contains contains the threat by micro-perimetering and micro-segmentation and ensuring that the network is secure. So collaborative tools are an end-to-end collaboration that is very big that I've seen emerging and taking precedents over point solutions. and then the third-party or supply chain management because, you know, like Keith mentioned, institutions are constantly being targeted and some of these are coming in through APIs and apps and third-party access. So that is definitely where I'm seeing a lot of innovation occurring.
Host: Right. And, Vaughan, would you like to add anything to that?
Vaughan: Yeah, something else, you know, and to my previous point about showing evidence that not only have a plan, but you're following it, being able to actually have standard operating procedures that are baked into a system so that your incident responders can actually collaborate together and actually work on the standard operating procedures in a platform is very useful. And then also having a record of who did what when, so you can go and look through how these procedures were followed. And this is something we're certainly seeing and this is, you know, speaking to our own software platform, Cydarm, something that we see the government space leading in. They have a need to demonstrate to their own internal auditors that they're following their own practices and they have documentary records of that.
But I think the regulations coming from government are pushing the same kinds of requirements onto, you know, starting with critical infrastructure, the banking sector and all of that. I think that there are some other interesting innovations, and, you know, many of you will have heard of software bill of materials. I think there are some really interesting products coming out in that space. And also being able to integrate data from many different sources. You know, we talk about this ability to rapidly report what's happening, having this 360 view of everything in your environment and pulling all the data together. And I think interoperability technology's gonna become increasingly important.
Keith: Can I just add to that, Vaughn, and maybe this is a question for you, one of the things that I'm seeing, I'm observing is as especially with larger organizations where there are separate teams, there's a separate privacy team an operations team and security team, really there's a need for software to bring all that together, you know, the software like Cydarm brings to the table. And it seems to me, you know, one aspect of that is there's oftentimes a risk of actually using in-network internal communications to gather all this information together because there could be a threat actor in the system watching it.
So one of the things that I would, my observation is there need to be better tools for actually going offline in a cloud that's unconnected to a network to bring all those players together in a consolidated way, rather than, for example, may of my clients are on an ad hoc basis, going to Signal and setting up Signal communications. Which is great and it's offline, but it doesn't integrate with all the other pieces that need to happen from log files, et cetera, and incident reports.
Vaughan: Yeah, absolutely, and I would add to that as well. Once you have this collaborative, you know, cross-disciplinary team, how are you maintaining access control across that? If you've gotta bring IT ops into a situation, are they allowed to see all of the incident data or would you prefer to keep them at arm's length and still have that rapid collaboration but filter what they see? And that's certainly, you know, part of the solution we offer is tools to manage that.
Host: Right. And a question for Kelly, so what effect are additional compliance requirements having on detection and response staff?
Kelly: Yeah, I mean, especially as a global organization, it's a huge burden because if we have an incident that's impacting our customers in multiple countries, that's multiple regulations that we may have to be reporting to and complying with. And trying to, you know, make sure the staff is aware that we have these reporting obligations. But it's also not just the detection response staff that it's a burden to, it's a burden to the legal teams making sure they're keeping track of all the different regulations out there. And for them to be able to identify that on top of all the contractual obligations we have to our customers.
When the India directive came out we had a couple weeks to comply with it, and we had to build separate a process around it. We had to do asset tagging, get automation in place. We had to make sure that we could reduce the burden on the team as much as possible and to reduce the risk of us making a mistake and missing something. So we had to set up special detections and alerting on various assets and customers that were based in India so it wasn't a burden. And way that we did that is we created playbooks, automation, specific alerting, but we also created templates and we also exercised the process. As Vaughn mentioned, it's very important that you exercise your process to make sure that the teams are aware of what they need to do with the various regulations that are out there.
Host: Right. So we have two minutes left, and I would like to ask you, what are the top recommendations for regulated industries to improve cyber incident response in order to comply with regulations? Who would like to answer that?
Kelly: I mean, my recommendation would be provide feedback to the regulators. Try to push for unified reporting requirements across the board 'cause that would reduce the burden on the incident response teams that are already, you know, stretched thin when it comes to an incident and stressed to try to make sure that they're reducing the impact as much as possible as quickly as possible.
Samrah: I can say that, you know, evaluate your readiness response and remediation processes. Look at the baseline, see what the gaps are and, you know, fill those gaps. Again, I believe like having a collaborative process, either through a software platform or internal processes is very, very important. So ensuring that it's a cross-functional team sport that you are engaged in, that's actually also very important. And then having a team, like a legal and compliance team that is on an ongoing basis, engaging with lawmakers and regulators on an ongoing basis. So you know you are never caught on the back foot, but you know what is emerging and how you can actually be prepared on an ongoing basis. And then just continuous monitoring is really important to putting a process on that and access control, as Vaughan had mentioned.
Host: All right. Excellent. We have less than a minute left. Thank you so much for all our speakers for this amazing presentation and sharing their thoughts and insights, experience with our audience. And for our audience, to join the next session, please use the lobby page and you'll be able to access the next presentation. Many thanks, and see you there. Bye-bye.