Cyber Security Reaches Tipping Point (or Critical Mass)

Investment into Business Cyber Security Is Critical for Survival

ONE TRILLION DOLLARS.  That number should grab the attention of every CEO in America.  The breach by Marriott Hotels pushes their potential financial liability to surpass a trillion dollars. The breach by Marriott Hotels was again, massive and by all estimates second only to Yahoo’s breach a few years ago.  The liability created by this breach could eclipse the billions of dollars from the Equifax breach (Northern District of Georgia, Federal Judge Thomas Thrash). For the first time, the liability could be greater than one trillion dollars, many times more than the Marriott hotel chain is worth.  This liability could wipe out the shareholders of Marriott, the officers of the corporation and even the board of directors.

Recognizing the difference between a technology cyber program and a business cyber program is key to understanding both the breach of 150 million individuals private information at Equifax and the latest breach of over 500 million people in the Marriott fiasco.  Equifax claims to have spent $46.7 million after the breach that released private information on millions of Americans.  Though that number sounds quite impressive, the single most important question remains.  Did Equifax do the one thing that the Federal government has been begging virtually every U.S. business like Equifax and Marriott to do – assert leadership over the business of cyber security? 

American businesses have spent literally billions of dollars in protecting cyber security infrastructure, or “technology cyber security”.  While these expenditures are appropriate, the cyber breaches of the last few years with companies like Yahoo, Equifax, FedEx and Maersk, law firms like DLA Piper, airlines Delta, British Airways and Cathay Pacific, these cyber breaches at their core, were not failures of the technology of cyber security, but rather the failure of the business of cyber security. This is a gross failure of corporate leadership to invest and instill business cyber security into their corporate cyber culture by setting policy, training people, and creating processes to protect valuable corporate information.

In 2013, recognizing that U.S. businesses and the U.S. economy were facing a huge cyber threat, President Obama issued by Executive Order (EO13636, February, 12, 2013) a directive to the National Institute of Science and Technology (NIST) to create a flexible standard for protecting the nation’s most valuable asset – the businesses of the United States. The hacking of sensitive information like intellectual property from Sony, Boeing and Lockheed by criminals and foreign states like North Korea, China and Russia, and private personal identity information in the Marriott breach, demonstrates how real the consequences are for U.S. companies. 

With active participation from more than 3000 experts from government, academia and private enterprises, NIST created the Cyber Security Framework (CSF) that was released in early 2014. The NIST Cybersecurity Framework is comprehensive and focuses beyond specific cyber technologies to emphasize the business side of cyber security. CSF requires that the right people, policies and processes are implemented and maintained throughout all levels of the organization.  While the government cannot require private companies to use CSF, they can mandate the implementation of NIST CSF in regulated businesses, like financial institutions, which are insured by the government.  In the banking industry, the government requires that insured institutions utilize the Federal Financial Institutions Examination Council (FFIEC) Cyber Assessment Tool based on the NIST CSF in order to maintain the backing of the FDIC.

In May 2017, President Trump issued an Executive Order (EO 13800, May 11, 2017), which required all agencies of the Federal government to use the NIST CSF to assess and report to the Office of Management and Budget on the maturity and resilience of their organizations. These steps have forced the largest users of technology and holders of intellectual property in the United States to put into practice business cyber security and use the NIST CSF for protection from breaches.

It’s important to note, that the losses and potential liabilities of American businesses such as the Marriott breach, will likely exceed all of the billions and billions of dollars invested in the technology of cyber security in the last decade.  Yes, that’s right, trillions of dollars.

Understanding that the risk to the American economy is so great, the Federal government by law has provided another protection called The SAFETY Act  [6 U.S.C. § 444(2)]. The SAFETY Act should further motivate the boards and executive management of American companies to take appropriate action to invest in business cyber security. The protection loosely says the government will substantially limit your organization’s liability if companies will use NIST CSF to manage the business of cyber security.  Specifically it says, if you use DHS-vetted software to manage your cyber resilience with NIST CSF, the Federal Government will extend to your company, its shareholders, executives, and board members protection up to, and in some cases including, the full sovereign protection of the US Government.   

So, in light of the latest and potentially biggest business cyber security breach of the Marriott Hotel chain, will leadership take steps to invest in business cyber security to protect their businesses?  Probably not.  Not until we see a company like Equifax or Marriott fail as a result of their failure of sound leadership around business cyber security. To do nothing is a damn shame. Especially when the Federal government has done so much to try to get companies to do the right thing and to understand that there is a significant difference between technology cyber security and business cyber security.

Boards of Directors and executives will continue to ask that technology teams provide technology cyber security.  That’s good, but not good enough.  There is no question that with the massive cyber breaches we have seen in the last few years, boards of directors and company executives must begin to demand adequate business cyber security.  To do less is wildly risky, perhaps irresponsible and those boards, executives and shareholders could be held personally responsible, as evidenced by the direction of the Equifax lawsuits.