In earlier blogs, (here and here) we discussed weaknesses of the new industrial insider threat program regulation, the National Industrial Security Operating Manual (NISPOM) Change 2. As the November 30 deadline for initial NISPOM 2 compliance approaches, it is an opportune time to contrast those weaknesses with the strengths of a recently proposed cybersecurity regulation for financial services firms.
The strengths of the cybersecurity regulation provide important lessons for policymakers to consider as they implement NISPOM 2 and try to compel companies to design effective programs, rather than to merely comply with minimal standards.
The proposed cybersecurity regulation, known as the Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards, was introduced on October 19 by the Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation. These agencies are considering applying enhanced cybersecurity standards to entities with total consolidated assets of $50 billion or more.
In this blog, I will highlight two important themes and how they are handled differently by NISPOM 2 and the enhanced standards.
Theme 1: Approach to Risk
The enhanced standards approach cybersecurity concerns holistically, by looking at the impact such damages may have on the financial system as a whole, not just on individual companies. The regulation is written from the perspective of the entire system, and how cyber threats from large companies might impact the functioning of this system. By providing such context, the regulation appeals to “common goals,” rather than individual mandates that do not consider the bigger picture.
NISPOM 2 is applicable to all companies with facilities clearances — large and small. The overseer of the NISPOM, the Defense Security Service (DSS), will evaluate the programs, but there is nothing in NISPOM 2 that addresses the impact one program might have on the other, or how each company might implement its insider threat programs in coordination with others and with the government. Such context could certainly help companies target the most effective use of their resources and show how they are contributing to the overall protection of classified materials. The focus on individual programs reduces such incentives, encourages waste and encourages a ‘check-the-box’ compliance approach to meeting minimum requirements with as little effort as possible.
Theme 2: Approach to Governance and Oversight
The enhanced standards are considering requiring that entities develop a written, board-approved enterprise-wide cyber risk management strategy that is incorporated into the overall business strategy and risk management of the firm. Because the board of directors would oversee and hold senior management accountable for implementing the cyber risk management strategy, the enhanced standards are considering requiring the board of directors to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. The enhanced standards talk a lot about how best to audit the cyber risk management profile and track results.
The recommendation that cybersecurity risk management is part of a company’s overall business strategy implies that cybersecurity is not just a ‘cost center’ but instead is an integral part of a company’s growth strategy and something that is not just for compliance, but could be leveraged to gain competitive advantage. Additionally, the enhanced standards acknowledge that governing bodies should be knowledgeable about cybersecurity — which implies that the governing bodies will understand the importance of cyber security and not treat it solely as a compliance issue.
In contrast, NISPOM 2 does not discuss how to best integrate an insider threat program into a company’s overall risk management program. It merely requires that an “Insider Threat Program Senior Official” be named to oversee and report results of program to DSS, and that this person be a “US citizen employee and senior official of the company.”
Clearly, the DSS — and stakeholder community — would be wise to adopt some of the approaches taken by the enhanced standards. As we’ve discussed in previous blogs, the weaknesses of NISPOM 2 stem from its focus on individual organizations, regardless of size, and its lack of emphasis on the importance of an overall holistic approach to risk. NISPOM 2 is a decidedly bottom-up, company-centric approach, rather than a top down, industry-centric approach. Providing this top-down framework and context as the enhanced standards propose to do might provide much more targeted and realistic requirements for individual organizations.
Tom Read is Vice President for Security Analytics at Haystax Technology.