Making the Case for 'Reasonable' Cybersecurity
In litigation, specificity is crucial. "Beyond a reasonable doubt" is the standard of proof in criminal cases, and prosecutors have to convince the jury that the evidence leaves no reasonable doubt about the defendant's guilt. In civil cases, the standard is "preponderance of the evidence," meaning the plaintiff must show that a fact is more likely than not true.
For regulators overseeing enterprise cybersecurity practices, the standard of proof is "reasonable cybersecurity," or taking measures to protect data based on what a reasonably prudent person would do in similar circumstances. At the recent RSA Conference, the Center for Internet Security (CIS) released a detailed white paper on reasonable cybersecurity and how the concept intersects with privacy laws.
"Reasonable cybersecurity" is intentionally ambiguous and depends heavily on context. A cyber insurance carrier will often use a questionnaire asking whether various security controls are in place, and underwriters might or might not approve a policy. But if a breach occurs later, the insurer might dispute the claim, as in 2022 where Travelers Insurance won a lawsuit against International Control Services over misrepresented security controls.
Some standards, like the Payment Card Industry Data Security Standard (PCI DSS), are prescriptive, while others, like the European Union's General Data Protection Regulation (GDPR), offer more flexibility. The GDPR states that an organization must make a "good faith effort to give people the means to control how their data is used and who has access to it. To accomplish this, you must transparently and openly provide them with the information they need to understand how their data is collected and used."
According to the Cornell Law School website, the legal definition of "reasonable" means, in part, "just, rational, appropriate, ordinary, or usual in the circumstances." In reality, reasonable can mean almost anything corporate management wants it to mean.
The board and executive management define what makes sense from a cyber capability perspective for their organizations, says Charlie Lewis, partner at McKinsey. Quantifying cyber-risk goes a long way toward determining what is and is not reasonable, he says, noting that Federal Reserve Vice Chair for Supervision Michael Barr underscored the need to improve this nascent technology in remarks to the Conference on Measuring Cyber Risk in the Financial Services Sector in January.
"Better data on cyber threats and vulnerabilities will enable us to identify and assess threats to banks and the financial system," Barr said. "In addition, improved data on interconnectedness between financial institutions and service providers will help identify and measure the impact of an incident on the broader financial system."
Along with the term "reasonable," another word that Lewis says boards need to focus on is "materiality." He notes the Securities and Exchange Commission's (SEC) recent rule changes help in defining materiality for disclosure purposes, adding that other regulatory requirements also identify specific required security. Knowing these required controls and how they are used in a corporate environment help develop a reasonable cybersecurity defense.
Curtis Dukes, executive vice president and general manager at CIS, agrees that balancing materiality with reasonableness is essential. In a recent 10-K filing with the SEC, a company said its forensics investigation of a breach found there was no material impact to earnings or operations. While this statement met the regulatory requirement, it was stated before the full impact of the breach could be determined. The initial results of a forensics investigation could be incomplete or simply wrong.
Meeting the standard for reasonableness is "highly subjective," Dukes says. "It's typically up to a judge or to a jury to decide [and] assess fault in some type of litigation for that."
To eliminate much of the confusion, he says, security frameworks such as the NIST Cybersecurity Framework (CSF), CIS's own Critical Security Controls (CIS Controls), and others provide enterprises with the controls they need to meet the reasonableness legal requirement, along with providing the necessary controls for meeting regulatory requirements. Organizations that implement the frameworks also generally meet cyber insurance requirements.
Reasonable cybersecurity is a strong defense against artificial intelligence attacks as well, Duke adds.
"If you have a good data governance program ... in place, and you're protecting data, using a set of cybersecurity best practices in the form of controls and underlying safeguard, then you're largely mitigating the threat of artificial intelligence," he says.