In Parts One and Two of this article we discussed the new Guidance issued by the Securities and Exchange Commission (SEC) Division of Corporation Finance that provides guidance to companies with regard to whether and how a company should disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.
In particular, the Guidance suggests that companies need to evaluate cyber-related risks including:
- prior cyber incidents and the severity and frequency of those incidents;
- the probability of cyber incidents occurring;
- the quantitative and qualitative magnitude of those risks, including potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
- the adequacy of preventative actions taken to reduce cyber-related risks in the context of the industry in which they operate and risks to that security.
The Guidance specifically states that if a company outsources functions that have material cybersecurity risks, the company should provide a description of those functions and how the company addresses those risks. The Guidance also appears to recommend that companies use secure logging, which becomes challenging when functions are outsourced to the cloud.
Since researchers recently found flaws in Amazon Web Services that they believe exist in many cloud architectures and enable attackers to gain administrative rights and to gain access to all user data, in this Part Three and in Four of this article we’ll discuss how you can evaluate the security of a cloud service and the contractual terms you should consider (or try to insert) into your cloud contracts.
Evaluating Security Compliance
ISO 27001 One of the best known information security management standards is ISO 27001. According to ISO:
“[ISO 27001] specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.”
The cloud service provider you select should be certified as being compliant with ISO 27001. Instead of being certified as compliant, some providers’ standard form contracts will say things like, “Supplier will meet the requirements of the ISO 27001 standard” or “Supplier will conform to the ISO 27001 standard,” neither of which are the same as being certified as compliant. Cloud service providers should represent and warrant that they are certified as compliant with the ISO 27001 standard and that they will remain certified during the term of the agreement. However, that certification is only the first step in the customer’s understanding of the supplier’s security posture.
The ISO 27001 certification means that a company has implemented the controls it has selected for its environment, but it doesn’t necessarily provide an opinion on the quality of those controls. Customers need to review a service provider’s Statement of Applicability (“SoA”), as well, to understand a supplier’s information security objectives and associated controls. Some service providers are reluctant to share their SoA, claiming that it contains sensitive security information that the company does not disclose. From a customer perspective, this should not be an acceptable answer. Without understanding the service provider’s objectives and associated controls, the customer can neither assess the security value of the ISO 27001 certification nor determine whether the cloud service being evaluated could create a material risk that should be disclosed pursuant to the Guidance.
CSA CCM More recently, the Cloud Security Alliance has been developing tools to assist cloud service providers in being secure and cloud customers in evaluating the security of the services they’re receiving. Among other things, CSA has developed the “Cloud Controls Matrix.”
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that provides a more detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The CCM is designed to tie into other industry-accepted security standards, regulations, and controls frameworks, such as the ISO 27001/27002, ISACA COBIT, the Payment Card Industry Data Security Standards, the various NIST security standards, and others.
Customers should verify that the service provider has incorporated the CCM into its information security management system. The CCM also provides an excellent tool for evaluating a cloud service provider’s security controls.
As mentioned above, there are other security standards besides the ISO 27001 certification. In addition to the ones already mentioned, an organization called Shared Assessments www.sharedassessments.org is working on standardizing and improving the efficiency of service provider controls assessments.
Disclosing Cybersecurity Risks and Incidents
The SEC Guidance increases the tension between cloud service providers, who would prefer not to disclose to customers any known risks to their environment or cyber-incidents that occur unless they have to, and customers, who need to know about such risks and incidents to determine whether they impact their reporting obligations.
Companies contracting with cloud service providers for any functions that could create a material risk to the company, either due to the type or quantity of data being held by the cloud provider or the functions being performed by the cloud provider, need to have a frank conversation with the service provider regarding the company’s needs for purposes of disclosure and the supplier’s policies regarding disclosure of cyber risks and incidents. Customers may even need to know about incidents that do not affect their own data because the fact that such an incident occurred may require the customer to disclose the risk as part of its reporting obligations or may cause the customer to take prophylactic steps that should also be disclosed. Among other things, cloud customers need to understand the supplier’s policies and procedures around cyber incidents, including how the supplier responds to requests from law enforcement for information.
The procedures for notifying the customer of cyber-related risks and incidents should be clearly spelled out in the contract and in relevant sections of the supplier’s policies and procedures (which the supplier should not be able to change without notifying the customer).
Having looked at some of the ways you can evaluate a cloud provider’s security prior to signing a contract and some of the potential issues created between customers and cloud providers by the SEC Guidance, in Part Four we’ll look at how you can monitor the supplier’s security during the term.