In an effort to gauge industry concerns and measure corporate responses to these significant privacy and security threats, Mayer Brown conducted an informal survey of key executives and corporate counsel in 15 industry sectors between mid-November 2014 and mid-February 2015. The majority of the companies were from finance and financial institutions, professional services (law, medicine, accounting, architecture and design), utilities and energy (including extraction), health care and pharmaceuticals.
Survey respondents overwhelmingly considered the disclosure of personally, identifiable information as the biggest cyber related threat to their companies (63%). Concern about interruption of business operations such as system sabotage ranked second (24%). Less than 10% of the respondents considered theft of trade secrets as the most serious threat. Most respondents (63%) considered cyber issues to be just one more cost of doing business or that these problems can be overcome. Well over half (57%) of the respondents estimated that litigation risk posed by cybersecurity issues has a relatively modest impact on their cybersecurity planning. For some, pessimism reigns. Around 29% of respondents have a negative outlook on cyber-related issues, believing that cybercrime will always be one step ahead of legislative protections and enforcement.
The survey revealed that respondents’ concern about the adverse impact of regulatory enforcement appreciably affects their willingness to share incident information with the government. Liability protection is a critical component of a voluntary cyber information-sharing program. Without meaningful liability protection, companies will be hesitant to participate because any act or omission made by a participant based upon cyberthreat information received by that entity could subject it to liability. This concern may also explain why only 23% of respondents said that their company had built a close working relationship with either a government enforcement agency (FBI, US Secret Service) or a prosecutorial agency (DOJ or state attorneys general) on cyber issues. An equivalent percentage (23%) reported working closely with industry regulatory (FTC, FCC, FDIC, CFPB). Over 40% said “no, they have no such relationship,” while approximately 24% did not know.
The survey showed that 84% of respondents expect clear national standards on data breach notification to emerge within the next five years. Smaller numbers expected national standards for securing personally identifiable information, investor disclosures and liability protection for information sharing.
This may reflect a growing recognition in Congress that having 47 different reporting standards does not make sense. Given the number of breaches that have occurred in recent years, it makes sense to instead have a clear set of standards, not just for notification but for information security as well.
Nearly 50% of respondents weren’t sure if the NIST Cybersecurity Framework has been helpful to their company in managing cybersecurity risk. This may indicate that it is premature to judge the NIST Framework, or that companies are not sufficiently aware of how it is meant to be helpful.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program