It is unlikely that any insurance industry conference in 2015 and beyond will omit a session on cybersecurity. I have attended many sessions already. What fascinates me more than the subject matter itself is that each one is significantly different from the others. I have attended sessions that I can barely understand because they are so technical, and others that barely go beyond a mere warning that we all need to be careful about online and network security. I try to approach each session with an open mind and few expectations so that I can get the most out of it, no matter what the focus.
At the ACLI Legal and Compliance Section Annual Meeting, there were two sessions on cybersecurity. Both were general sessions and each had a different focus.
At the first, specifically titled “Cybersecurity”, John Walsh, a partner at Sutherland, made a strong point of avoiding technical jargon. He emphasized the changing nature of the risk from one based in criminal activity to today’s cybersecurity risk that is solely for the purpose of disruption. His point was that criminals want to get paid and therefore to find them it is possible to follow the money. When disruption is the goal, there may not be a money trail to follow. He also spoke of the politics of cybersecurity, indicating that there was actual bipartisan congressional action on this issue, e.g. HR 1560 (Protecting Cyber Networks Act) and S-754 (Cybersecurity Information Sharing Act of 2015). Walsh’s view was that we may see actual legislation pass that will be signed by President Obama on this issue.
From there, Walsh focused on the SEC/FINRA efforts to both build expertise and pursue exams while that happens and the significance of reports issued by both agencies. FINRA issued Report on Cybersecurity Practices was designed to help firms respond to the risk of cyberattacks as well as attacks themselves appropriately, while the SECs risk alert was based on exams of 57 broker-dealers and 49 RIAs. Both of these were issued in February of this year. Walsh’s focus was on the Legal and Compliance role in cybersecurity, saying it is the same as in all compliance issues: preventative, detective, corrective and predictive. He suggested compliance questions such as: Who is running the security program? What are their credentials and expertise? What standards are they assessing against? How often is testing happening? What are the checks and balances in place? Are there reasonable policies and procedures in place? These are familiar questions and from a compliance perspective, that is the appropriate role. He reiterated that we in compliance do not have to be engineers to be effective in our positions. But we need to be active and keep digging for information. Finally, he warned of the culture clash between engineers and compliance. Engineers often respond that they followed procedures. Compliance’s role is to ask if those procedures are reasonable.
This session was extremely valuable because of the focus on compliance as compliance and the very clear ways that were provided for compliance to add significant and unique value to enterprise efforts on cybersecurity.