By Eben Kaplan
WASHINGTON – It has been called “the most important cybersecurity case you’ve never heard of,” and now it’s getting a second life. The core issue in the dispute between the Federal Trade Commission (FTC) and Wyndham Worldwide Corporation is whether the FTC has the authority to enforce data security standards in the US commercial sector. Last April a federal judge ruled in favor of the FTC, but Wyndham has appealed. The 3rd Circuit Court of Appeals heard oral arguments earlier this month, and regardless of how that court rules, that decision is also likely to be appealed.
Until the case is decided, regulatory enforcement of cybersecurity in the United States will remain in a state of limbo. The FTC has authority under the Federal Trade Commission Act to prohibit “unfair” or “deceptive” business practices. It claims this authority extends to cybersecurity practices, and Wyndham argues the FTC is overreaching.
To date, the FTC has brought suit against some 55 companies for maintaining “unreasonable” cybersecurity practices. Yet the commission has never formally defined what constitutes “reasonable” security; and it’s not about to anytime soon. Earlier this month FTC Commissioner Julie Brill suggested that her agency would not define a comprehensive standard until the Wyndham case is resolved. In the meantime, companies must piece together a definition of reasonableness from a collection of guidance, tips and blog posts on the FTC’s website.
If the FTC ever does issue a formal standard, don’t expect a list of controls that companies should implement. Such specific guidance is apt to become obsolete as soon as it is issued. Rather, Commissioner Brill indicated that the FTC is more concerned that companies take a holistic approach to managing cyber risks—in other words, it is better to have the right risk management framework than the right security widget.
This emphasis on process is not unique. It is the same approach the US National Institute of Standards and Technology took when issuing a set of voluntary guidelines for critical infrastructure providers last year. Those guidelines, called the Cybersecurity Framework, emphasize “using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.”
Another government regulator, the US Securities and Exchange Commission (SEC), last year undertook a review of cybersecurity practices among registered broker-dealers and investment advisors. The findings from that review, released last month, also appear to emphasize process over products. The SEC focused broadly on firms’ practices for identifying and addressing cyber risk, such as the use of external standards, participation in information-sharing networks or the designation of a chief information security officer.
Though companies may find the absence of specific cybersecurity standards frustrating, regulators’ apparent preference for more process-based measures is appropriate. Networks cannot be secured through box-checking exercises; cyber due diligence requires thinking more like a would-be hacker than an auditor. Most of the time, these process involve questions about corporate strategy that should ideally be addressed by an organization’s senior leaders. No matter where regulators decide to set the bar, any organization whose leaders are focused on cyber risks is likely to clear it.
Eben Kaplan is a Senior Consultant at Control Risks, the global risk consultancy.
This article was written by Control Risks from Forbes and was legally licensed through the NewsCred publisher network.