The Federal Trade Commission (FTC) is updating the requirements for organizations to establish a reasonable cybersecurity program, with revised recommendations involving internal actions of a company—like designating a chief information security officer (CISO) who will report on cybersecurity, at least annually, to the board of directors. This suggestion is neither new nor novel, and closely mirrors regulation released by the New York Department of Financial Services (NYDFS). Some of the biggest changes, however, reflect external actions and partners.
The FTC recognizes that in today’s technology and business environment, many operational systems involve cooperation, coordination and inter-operability of data and access between the systems operated, owned or licensed by multiple organizations. While this is significant, it should not be a surprise. Many of the largest data breaches have involved compromises that began not within the company, but at a business partner, supplier, outsource or other outside organization. By explicitly including provisions addressing “external risks to the security, confidentiality, and integrity of customer information” and “the sufficiency of any safeguards in place to control these risks,” the FTC is shining a spotlight directly on third-party cyber risks.
