By Ellen Nakashima and David S. Hilzenrath, Published: October 14
Cyberspies and criminals steal what is estimated to be tens of billions of dollars worth of data from U.S. companies each year. Yet experts say few companies report these losses to shareholders.
Now the Securities and Exchange Commission is pressing for more disclosure, issuing new guidelines this week that make clear that publicly traded companies must report significant instances of cybertheft or attack, or even when they are at material risk of such an event.
“Investors have been kept completely in the dark,” said Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate commerce committee, which urged the SEC to take the action. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”
The SEC guidance clarifies a long-standing requirement that companies report “material” developments, or matters significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no exception.
For example, the SEC says, a company probably will need to report on costs and consequences of material intrusions in which customer data are compromised. The company’s revenue could suffer, and it could be forced to spend money to beef up security or fight lawsuits. In addition, if a company is vulnerable to cyberattack, investors may need to be informed of the risk, the SEC said.
15 October 2011
Degree in OPS Risk: The New Normal...
The discipline of Operational Risk Management is becoming more of a requirement in a multitude of companies outside the financial industry. In the United States, this is due to the fact that Fortune 500 enterprises and even small to medium size businesses, are now disclosing that they are in a silent and soon to be more acknowledged, battle against significant loss events. Information Capital Loss Events.
This decade long hush hush silent war, with cyber criminal syndicates, fraud rings operating in the "Cloud" and the advanced persistent threat (APT) orchestrated by sophisticated cells of nation states, is growing ever so more pervasive. Public companies shareholders and small business owners investors, are still asking more questions about the information loss risk of stolen intellectual property, corporate secrets, R & D and even cash. The reporting of hundreds of thousands of dollars per incident, that is being stolen via cyber malware attacks in concert with unauthorized banking ACH transactions, is already a classic case of asymmetric warfare. The banks are not the only critical infrastructure vulnerable to the silent war being waged by well funded units within the governments of China or Russia. Why do you think that US Cyber Command is housed within USSTRATCOM?
Now the Securities and Exchange Commission (SEC) wants information capital and data losses to be monetized and is encouraging the companies to acknowledge this silent battle and to be more transparent on incidents, regardless of the impact to the bottom line:
Operational Risk Management is a discipline that encompasses science, methodology and art. No different than other academic pursuits. Each organization that realizes that loss events are inevitable across a spectrum of risks has already designated people and processes to mitigate, minimize or even accept these risks. Litigation and legal risks have been part of the disclosure to shareholders for some time. The process of negotiating with plaintiffs to settle law suits is in itself a strategy to minimize losses to the institution. So why are the SEC disclosure guidelines going to make these same institutions nervous? They aren't.
Public companies that now may have to be more transparent, because they trade shares on the stock exchange or because of their respective tax status with the Internal Revenue Service, will do this on an increasing basis. It will be just one more risk to the enterprise that is disclosed and has a cost associated with it. That cost is in many cases the remediation measures put in place for the members or the customers, because of other privacy laws such as SB 1386 or the HITECH Act that require notification and in some cases assistance for avoiding the risk of Identity Theft. How many letters did you get in the mail this last year like this? The number is growing and soon the whole American public will need to have their credit monitored at the cost of the institution who has disclosed the theft of personal identifiable information (PII). So, perhaps you could offset this cost by charging your customers $5.00 each month to use a debit card.
The SEC is just one more U.S. government agency that is capable of putting the pressure on the private sector, to comply with existing laws regarding the "material" incidents going on within the public company. The private sector should not even blink at this and will voluntarily do so just as it has with other material items. Or will it?
The fact is that there is no government or private sector company that "HAS NOT" been breached or had data exfiltrated from their information systems. This is a given. We are in the age where our personal information is being socially shared with advertisers and so called analytics firms on a daily basis. This data is being sold to whoever will pay for it. The playing field is set and the baselines are clear. We have all been compromised in some way or some form and now it is just a matter of the magnitude.
Operational Risk professionals know this and we have been raising our hands for years asking for more resources to keep the perimeters secure and to prevent people from behaving badly. Yet substantial funding to ramp up "Cyber Security" tools and services in the institution will not put a dramatic dent in the real business issues at hand. Human Behavior. Humans acting with disregard to the rules sets or ignorant to the known risks, will not change.
So what is the answer for the SEC or even US Cyber Command? Only one thing. A greater attention to the science, methodology and art of the discipline of Operational Risk Management. We have institutions of higher learning teaching Homeland Security, Cyber Security and even Forensic Accounting. Maybe we need to establish a Bachelors Degree and Masters in Operational Risk Management, to pave the way to a more safe and secure global business environment in the next half of the millenium.