At the recent RSA Conference, the Center for Internet Security (CIS) introduced a detailed white paper on the concept of reasonable cybersecurity and how it relates to privacy laws. Reasonable cybersecurity, a phrase that holds intentional ambiguity, is a standard that heavily relies on context. In the realm of cybersecurity insurance, companies often require policyholders to fill out questionnaires regarding their security measures. Based on these responses, insurers may approve or deny a policy. However, disputes can arise if a breach occurs and the insurer challenges the validity of the claim. This was exemplified in a 2022 case where Travelers Insurance successfully won a lawsuit against International Control Services for misrepresenting their security controls.
Different cybersecurity standards, such as the prescriptive Payment Card Industry Data Security Standard (PCI DSS) and the flexible General Data Protection Regulation (GDPR) in the European Union, offer varying levels of specificity. The GDPR mandates that organizations must make a good faith effort to give individuals control over their data usage and access. To achieve this, organizations must transparently provide individuals with the necessary information to comprehend the collection and utilization of their data.
According to the legal definition provided by the Cornell Law School website, “reasonable” is described as just, rational, appropriate, ordinary, or usual in the given circumstances. This term, however, can be subject to interpretation by corporate management and can mean essentially what the entity wants it to mean.
Quantifying cyber risk is a crucial aspect that helps determine what is considered reasonable in terms of cybersecurity. Charlie Lewis, a partner at McKinsey, emphasizes that both the board and executive management play a key role in defining the appropriate level of cybersecurity capabilities for their organization based on their specific business needs. By quantifying cyber risk, organizations can set risk tolerance levels, assess control performance, and evaluate the effectiveness of their capabilities. This approach aids in defining what constitutes a reasonable cybersecurity defense.
In addition to reasonableness, Lewis highlights the importance of focusing on materiality. He notes that recent rule changes by the Securities and Exchange Commission contribute to defining materiality for disclosure purposes, helping organizations identify specific security requirements mandated by regulations. By understanding these controls and their application within a corporate environment, organizations can fortify their cybersecurity defenses effectively.
Enabling security controls is an essential component of achieving reasonable cybersecurity. Curtis Dukes, the executive vice president and general manager at CIS, emphasizes the significance of balancing materiality with reasonableness. He points out that subjective assessments of reasonableness are typically determined by judges or juries in litigation scenarios. To streamline this process and alleviate confusion, security frameworks like the NIST Cybersecurity Framework and CIS Controls offer enterprises the necessary controls to comply with legal requirements and meet regulatory standards. Implementation of these frameworks not only helps meet cyber insurance prerequisites but also strengthens defenses against artificial intelligence attacks.
Dukes asserts that a robust data governance program, coupled with adherence to cybersecurity best practices and the implementation of appropriate controls, can effectively mitigate the risks posed by artificial intelligence threats. By incorporating these strategies into their cybersecurity posture, organizations can enhance their overall security resilience and better protect against evolving cyber threats.