SEC guidance on IT security: Would you report secure risks before a breach?

Last week’s SEC guidance on security risk disclosure is the next event in a sequence of global trends recognizing the urgency of IT security in the digital economy.

As companies around the world come to grips with data breach notification laws, very few companies would consider disclosing security exposures when a breach did not occur – this is precisely what the new SEC guidance would require.

While the communication does not establish any new penalties or provide a definition of which exposures are material enough to report, the language and intent are unambiguous – cyber-risk is material and relevant to a company’s financial health and company executives are accountable. The SEC guidance is timely and directionally correct but requires more insight. The issue of disclosure is more complicated than insider trading; it has more significant ramifications on public safety and the entire digital economy. In short, the SEC guidance requires more guidance.

CISOs under more pressure

The guidance creates increased pressure for CISOs to quickly understand which risks are material and communicate these risks at the CEO level. Under the new guidance, if you are a security professional reviewing a list of security incidents, and you trade company stock before a breach is publicly disclosed, you would be trading on insider information. Unfortunately, in a world where organizations are always under attack, your trading window may never open.

The guidance complicates the communication of risk because security risk is difficult to quantify – while some risks may seem small in magnitude, the exposure they create are disproportionate. Many data breaches exploit vulnerabilities that were low priority and as a result, 99% of proactive monitoring today fails at detection because monitoring today largely ignores low priority risks. Consider a recent study by Ponemon where 71% of employees said they had excessive access and 80% of IT professionals said their companies do not enforce least privilege controls. For most companies, disclosing the volume of excessive access alone would be challenging to frame for investors. Taking this a step further, imagine if companies had to disclose ransomware payments.

Disclosure can incite exploitation

In cyber warfare, we can’t let the enemies know our weaknesses – the disclosure could inspire attackers to take advantage of an exposure. Last year, when a well-intentioned third party blogged about a firmware vulnerability on Aris routers, millions of consumers were put at risk. To complicate the situation, it was not clear who would take ownership of the fix. It raises the question, of when and how companies should disclose and what responsibilities the disclosing party should have when public safety is at stake. Mary Ann Davidson, Oracle’s CSO, provides a compelling argument – many companies hire security researchers to find vulnerabilities in software. If these vulnerabilities are not disclosed responsibly, the global attack surface will increase drastically. Software that was safe in 1995 is not safe ten years later when the “state of the art” changes. Even minor security risks could raise alarms and cause investors to take note. While disclosure and transparency are prudent and build trust; the SEC needs to provide better procedural definitions on disclosing security risk that balances the potential exploitation the disclosure might create – perhaps even consider private disclosures at the industry level which creates transparency without inspiring exploitation.

Collaboration creates better disclosure

The Financial Services Coordinating Council (FSSCC) is a good example of an industry focus on cyber-risk which could apply more widely and allow companies to share information safely in a forum of peers. Functioning as the coordinating body to protect the nation’s financial infrastructure, the FSSCC can not only address patterns of vulnerability, but also prioritize and act as a point of a coordinated solution. To provide a non-IT example, we need a cyber equivalent of the Center for Disease Control (CDC) that acts quickly to detect, model and respond to the outbreak of malware, worms and viruses similar to the way the CDC coordinates to reduce the impact of pathogens on the public.

Industry level groups would not only provide a more coordinated response but also create economies of scale at finding solutions, communication and support the remediation activity. The “state of the art” in cyber-warfare is continuously changing – a coordinated group that can anticipate the ramifications on the existing landscape and takes proactive action would enable remediation before embarrassing disclosures.

The SEC guidance is a step forward because it clarified the responsibility and expected behavior companies have both to shareholders and the public. If the net result of the guidance is to shame public companies and spread fear, then the guidance would be counterproductive. The follow-on guidance needs to reconcile the distinction between what is full vs. responsible disclosure. The World Economic Forum Global Risks Report in 2017 highlights the increasing cyber dependency globally as a critical risk in which every economy has a stake requiring great responsibility from every participant.

We are not dealing with the attack surface of a single company; we are dealing with the attack surface of the entire global digital economy. The real issue is the growing systemic risk created by our inter-connected digital economy and the growing black-market economy for cyber-crime. Cyberattacks happen in patterns globally, and the key to preventing them is better collaboration among global institutions. When organizations can collaborate to prevent data breaches from happening, we can create real security rather than spread fear.

This article is published as part of the IDG Contributor Network. Want to Join?