Friday, November 4, 2011

Disclosing Cyber Security Risk Assessments

In what I would characterize as a hat tip to the obvious, the SEC Corporate Finance division issued Disclosure Guidance requiring public companies to do a better job of advising investors about so-called "cyber security risks". In a classic example of closing the door of a horseless barn, the Commission is finally getting around to telling companies that they really should be paying attention to information technology problems that might affect the value of their stock.

From my perspective, the cyber security issue often begins with the employees of a company. The easiest access into a company's information technology system is through an employee, either deliberately or as a result of day-to-day IT security sloppiness. In fact, hackers now are much more likely to simply target specific employees, or groups of employees, to insert their malware into a company system. For example, at EMC Corporation's RSA security unit, which manufactures computer log-in devices used throughout the industry, two small groups of employees received e-mails containing an innocuous, corporate type message, and attached spreadsheet labeled "2011 Recruitment plan." One employee retrieved the file from the spam folder and when she opened the attachment, she introduced a virus inside the company network that eventually gave a hacker access to proprietary company data, allowing it to conduct later attacks against RSA's customers.

It's getting easier than ever to conduct this type of spear phishing attack because of the wealth of private and corporate data contained in sites such as Facebook, or LinkedIn. Companies should be vigilant about training their staffs with respect to unsolicited e-mails from unknown addresses, and particularly the attachments contained in those e-mails. This is in addition to the training that should be going on with respect to things like flash drives, iPods, and other potentially affected hardware that gets plugged into the company server.

The SEC guidance is not particularly helpful, but it does provide a map of at least minimal diligence for disclosure to investors. Public companies are expected to evaluate cyber security risks within their operations and then figure out some way to disclose these risks to investors, without at the same time opening the door to an attack from a hacker who reads the SEC filings. I'm glad I don't have to draft that particular notice.

The Commission also notes that disclosure should occur in the event of an actual data breach. In particular, a company should factor in whether a potential or actual breach exposed it to lengthy government investigation or costly third-party claims, caused significant business interruption, or undermined the value of the company's services or reputation, or led to substantial remediation costs.

Finally, (and this sounds like a semantic nightmare), companies are required to disclose conclusions on the effectiveness of their required SEC disclosures.  So if a cyber attack could affect the company's ability to disclose the required information to the SEC, the company has to disclose that its ability to disclose its ability to disclose its ability to disclose… could be affected as a result of an IT intrusion. 

Fun stuff, huh? The short answer is that every organization, but especially those that sell public stock, should be policing their IT programs at the highest level.  That means senior executive involvement, and perhaps more nerdiness in the so-called C-suite. 

No comments:

Post a Comment