In litigation, specificity is crucial. In criminal cases, the standard of proof is “beyond a reasonable doubt,” meaning prosecutors must convince the jury that the evidence leaves no reasonable doubt about the defendant's guilt. In civil cases, the standard is “preponderance of the evidence,” meaning the plaintiff must show that the facts are more likely than not to be true.
For regulators overseeing companies' cybersecurity efforts, the standard of proof is “reasonable cybersecurity” — that is, measures to protect data based on what a reasonably prudent person would do in similar circumstances. At a recent RSA conference, the Center for Internet Security (CIS) detailed White Paper About rational cybersecurity and how the concept intersects with privacy law.
Reasonable cybersecurity is intentionally vague and highly dependent on the circumstances. Cyber insurers often use a questionnaire asking if various security controls are in place, and underwriters decide whether to approve the policy. But if a breach later occurs, the insurer may dispute the claim. As happened in 2022. Travelers Insurance wins lawsuit Sued International Control Services for misrepresenting security controls.
Some standards, such as the Payment Card Industry Data Security Standard (PCI DSS), are prescriptive, while others, such as the European Union's General Data Protection Regulation (GDPR), are more flexible. EU law states that organizations must make “good faith efforts to provide users with control over how their data is used and who has access to it.” To achieve this, organizations must be transparent and open in providing users with the information they need to understand how their data is collected and used.
According to the Cornell Law School website: Legal Definition “Reasonable” in one sense means “just, reasonable, proper, ordinary, or usual under the circumstances.” In reality, reasonable can mean just about anything a business manager wants it to mean.
Quantifying Cyber Risk
Boards and management define what makes business sense for their organizations in terms of cyber capabilities, says McKinsey partner Charlie Lewis. Quantifying cyber risk goes a long way to determining what is and isn't reasonable, Lewis noted, noting that Federal Reserve Vice Chairman for Oversight Michael Barr has highlighted the need to improve on this emerging technology. In the statement In January I attended a conference on measuring cyber risk in the financial services sector.
“Better data on cyber threats and vulnerabilities will help identify and assess threats to banks and the financial system,” Barr said. “Furthermore, improved data on the interconnectivity between financial institutions and service providers will help identify and measure the impact of incidents on the financial system as a whole.”
“Quantifying cyber risk allows you to set your risk tolerance in a way that gives you insight into your control performance and how well you’re performing,” Lewis says. rational“
Along with the word reasonable, another word Lewis says boards need to focus on is: Importance. He points out that recent rule changes from the Securities and Exchange Commission have helped define materiality for disclosure purposes, adding that other regulatory requirements also identify specific necessary security controls. Knowing these necessary controls and how they are used in an enterprise environment can help develop a reasonable cybersecurity defense.
Enabling security controls
Curtis Dukes, executive vice president and general manager at CIS, agrees that it's important to balance materiality with reasonableness. In a recent 10K filing with the SEC, one company stated that a forensic investigation into a breach had not resulted in a material impact to revenue or operations. However, while this statement met regulatory requirements, it was issued before the full impact of the breach was known. Early findings from a forensic investigation may be incomplete or simply incorrect.
Meeting the reasonableness test is “highly subjective,” Dukes said. “Usually it's something for a judge or jury to decide.” [and] There will be some kind of lawsuit that will hold them accountable.”
To clear up much of the confusion, security frameworks such as the NIST Cybersecurity Framework (CSF), CIS's proprietary Critical Security Controls (CIS Controls), and other security frameworks provide companies with the controls they need to meet legal requirements for reasonableness, as well as the controls they need to meet regulatory requirements. Organizations that implement a framework also typically meet cyber insurance requirements.
Dukes adds that proper cybersecurity is also a strong defense against artificial intelligence attacks: “If you have the right data, governance programs, up-front principles, and are using a set of cybersecurity best practices in the form of controls and foundational protections to protect your data, you can significantly mitigate the threat of artificial intelligence.”
