Although most cyber-security regulation has been targeted at specific data or industry sectors, one of the most effective ways to push requirements out to all businesses is to impose regulations, or “guidance,” on government contractors and public companies. The Securities and Exchange Commission and federal procurement regulators have chosen this path and have become increasingly specific with respect to cyber-security requirements.
The Federal Information Security Management Act (FISMA), enacted in 2002, imposed cyber-security requirements on agency and contractor systems and compliance with certain Federal Information Processing Standards. It requires risk-based information-security measures and applies to data and systems operated by a contractor on behalf of an agency.
In 2016, the Federal Acquisition Regulations (FAR) on Basic Safeguarding of Contractor Information Systems was implemented, which requires 15 security controls. The regulation applies to all government contractors and is effective when included in contracts.
Following a series of breaches at agencies and defense contractors, the Department of Defense, in 2013, created its own cyber-security procurement regulations, which require contractors and subcontractors to safeguard computer systems and report data breaches within 72 hours. The rule does not apply to contracts for commercial off-the-shelf technology. The Defense Federal Acquisition Regulation Supplement (DFARS) now requires defense contractors to comply with NIST guidance on protecting controlled unclassified information, notify the Defense Department of incidents within 72 hours, save all data associated with an incident for 90 days to enable the Defense Department to review or inspect the system, and notify the department if a cloud provider will be used.
“Concern grew exponentially as the end of 2017 approached and contractors realized they were not in compliance with DFARS requirements, particularly NIST 800-171,” says David Bodenheimer, a public contracts partner at Crowell & Moring. Bodenheimer points out that the Defense Department has several avenues to enforce its cyber-security requirements, including refusing to do business with the contractor or disqualifying it; giving the contractor a negative past performance review, thereby reducing its opportunities for future awards; suing the contractor for breach of the cyber-security safeguards clause in the contract; blacklisting or debarring the contractor; and bringing a False Claims Act suit against the contractor if it falsely implied in its proposal that it was in compliance with 800-171.
“Subcontractors are particularly vulnerable, as their prime contractors may cut them from contracts if they are not in compliance with 800-171,” Bodenheimer says.
The SEC formally entered the cyber-security regulatory realm in 2011 with its “Corporate Finance Disclosure Guidance: Topic No. 2,” which guides public companies on disclosure of cyber-security risks and cyber incidents. The SEC advised companies to disclose cyber-security risks if these risks are among the most significant factors that make an investment in the company speculative or risky. In February, the SEC issued “interpretive guidance” to assist companies in preparing disclosures about material cyber-security risks and incidents. The guidance expands on what cyber risks may be material and puts more responsibility on directors and officers for managing cyber risks.
In 2014, the SEC conducted a series of examinations of the cyber-security programs of registered broker-dealers and investment advisors to identify cyber-security risks and assess cyber-security preparedness in the asset management industry. The following year, the commission issued “Guidance to Registered Investment Funds & Advisers on Cyber Security,” which discusses a number of measures funds and advisors may wish to consider when addressing cyber-security risks, including risk assessments, cyber-security strategies, and policies and procedures.
In 2017, the SEC established a cyber unit in its Enforcement Division to focus on targeting cyber-related misconduct. The unit wasted no time. Last December, it obtained an emergency asset freeze to stop an initial coin-offering fraud that had raised $15 million from thousands of investors.
The SEC means business (even though it took until September 2017 to disclose its own breach, which took place and was detected in October 2016). “Businesses should take seriously the SEC guidance on cyber security and the need for well tailored and consistently implemented policies and procedures around data, vendor and network risk management,” says Gwendolyn Williamson, a partner with Perkins Coie who represents investment and business development companies.