The Morning Risk Report: Compliance Considerations of Sharing Threat Intel

February 13, 2015 – In The News
The Wall Street Journal: Risk & Compliance Journal

Scott L. Vernick was quoted in The Wall Street Journal: Risk & Compliance Journal article, “The Morning Risk Report: Compliance Considerations of Sharing Threat Intel.” Full text can be found in the February 13, 2015, issue, but a synopsis is below.

As President Obama presses for companies to be more forthcoming in the sharing of cybersecurity threat intelligence in an effort to improve cyberdefense capabilities, a number of information-sharing platforms have emerged, including Facebook’s ThreatExchange.

According to Scott Vernick, a noted privacy attorney, exchanges seem like a great idea on the surface, but it is unsure how they will work in practice.

Cybersecurity and IT professionals are going to want to join sites like ThreatExchange, but Vernick cautions that companies should have ground rules in place on what information can be shared.

“Companies have to think really hard about what it is IT can share, and how to do so in a way that is useful but doesn’t sort of have any inadvertent effects or creates a liability,” he said.

The key for companies will be to ensure that any information shared on these sites meets all disclosure rules that govern communications.

“As a specific compliance point I would want to be careful that what one of my IT pros shared online could be at odds or undermine our disclosure obligations,” said Vernick.

Companies will also need to be wary of the chances that hackers could gain access to the sites to see what is being discussed, and that companies or criminals could share false information in an effort to cause confusion or get a company to take actions that may weaken its security.

“There are all kinds of risks here that they have to think through before they say to their IT people that they can join this exchange and share information,” Vernick said.

Click here to view the full article.