The Center for Internet Security (CIS) released a “Guide to Defining Reasonable Cybersecurity” at the RSA Conference this year, setting out to specify what an organization must do to meet the standard of reasonableness in cybersecurity. In the US, “laws and regulations are nearly unanimous in requiring that cybersecurity controls must be reasonable.” However, until this year there was no unanimously agreed-upon, industry-accepted definition of reasonable cybersecurity to determine if an organization was doing everything deemed rational, reasonable and necessary to prevent cyber incidents and minimize the internal and external impact of a breach.
The guide was created by CIS in collaboration with experts from the legal and cybersecurity domains. It aims to provide “practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of reasonable cybersecurity.”
It starts with a summary of the current Federal and State cybersecurity laws in the United States, including general data security laws, more prescriptive laws that detail required security measures, consumer data privacy laws, safe harbor laws, industry-specific cybersecurity laws, and more.
The authors then attempt to use existing safe harbor statutes and industry frameworks to define reasonable cybersecurity. They outline the basic questions that organizational leaders should be asking to assess their cybersecurity health, and categorize “reasonable” safeguards, using the CIS Controls as a reference, into six common-sense components:
- Know your environment
- Account and configuration management
- Security tools
- Data recovery
- Security awareness
- Business processes and outsourcing
Download the complete CIS Guide to Defining Reasonable Cybersecurity
In this blog post, we talk about some of the core concepts mentioned in the guide and why its publication has been a welcome step towards providing more clarity to organizations mired in the complexity of cybersecurity and the potential legal consequences of breaches.
What is Reasonable Cybersecurity?
Reasonable cybersecurity refers to the implementation of security measures that are appropriate and proportionate to the risks faced by an organization. It involves a balanced approach to protecting data and systems, considering factors such as the size of the organization, the nature of the data, and the likelihood and potential impact of a breach. The goal is to mitigate risks without imposing excessive burdens on the organization.
Reasonable cybersecurity is not a one-size-fits-all solution. Instead, it requires a tailored approach that takes into account the specific circumstances and needs of each organization. This includes assessing the types of data being handled, the potential threats, and the resources available for implementing security measures.
Why is it important to define reasonable cybersecurity?
Defining reasonable cybersecurity is crucial for several reasons:
- Legal Clarity: Clear definitions help establish legal standards for what constitutes adequate protection. This is important for regulatory compliance and can be used in legal contexts to determine whether an organization has met its obligations.
- Risk Management: By understanding what is considered reasonable, organizations can better assess their own security measures and identify areas for improvement. This helps in managing risks more effectively.
- Benchmarking: Clear definitions provide a benchmark for evaluating the effectiveness of cybersecurity measures. Organizations can compare their practices against established standards to ensure they are taking appropriate steps to protect their data.
- Accountability: Defining reasonable cybersecurity helps hold organizations accountable for their security practices. It ensures that they take their responsibilities seriously and implement measures that are appropriate for their specific circumstances.
What are Safe Harbor Laws with regard to cybersecurity and data breaches?
Safe Harbor laws provide legal protection to organizations that meet certain cybersecurity standards. If an organization can demonstrate that it has implemented reasonable security measures, it may be shielded from liability in the event of a data breach. These laws encourage organizations to adopt best practices by offering a form of legal immunity, thereby promoting better overall cybersecurity.
For example, the Ohio Data Protection Act protects companies from lawsuits alleging that they did not implement reasonable security controls. The law provides an affirmative defense to companies that can show they have a documented security program in place that follows an industry-accepted framework.
Similarly, the California Consumer Privacy Act (CCPA) includes a Safe Harbor provision that protects businesses from certain penalties if they can demonstrate that they have implemented reasonable security measures. This incentivizes organizations to invest in robust cybersecurity practices and helps create a safer digital environment.
How will small businesses benefit from a clearer definition of reasonable cybersecurity?
Small businesses often lack the resources and expertise to implement comprehensive cybersecurity measures. A clearer definition of reasonable cybersecurity can provide them with a minimum, focused set of data security areas to:
- Reduce the risk of breaches in a cost-effective manner
- Demonstrate adherence to an accepted set of requirements / standards in case of legal action after a cyber incident.
- Build trust with customers and partners, who can be confident that their information is being handled securely.
How do cybersecurity frameworks help with maintaining reasonable cybersecurity?
Cybersecurity frameworks, such as the NIST Cybersecurity Framework and the CIS Controls, provide structured approaches and industry-accepted, prioritized safeguards to manage cybersecurity risks. These frameworks outline best practices and offer a roadmap to organizations for implementing high-impact security measures based on their specific requirements and the context they operate in. By following these frameworks, organizations can ensure they are taking reasonable steps to protect their data and systems, thereby maintaining a robust cybersecurity posture.
Frameworks also provide a common language for discussing cybersecurity, making it easier for organizations to communicate their needs and expectations with stakeholders, including employees, partners, and regulators.
How CYRISMA helps with maintaining reasonable cybersecurity
CYRISMA was built exactly with the idea of reasonable cybersecurity in mind. It brings together all the tools necessary to implement essential security controls and assess compliance in a SINGLE, easy-to-use and affordable platform.
CYRISMA’s compliance module also covers the two frameworks most often used by organizations to implement and demonstrate reasonable cybersecurity, and by regulators and auditors to assess “reasonableness” – the CIS Critical Controls and the NIST Cybersecurity Framework.