Every few weeks or so, a big company gets into big trouble following a big data breach.
In the aftermath, we see collective hand wringing about what the company, its executives, and its board of directors did wrong of failed to do at all.
Pro tip: Many of you are doing cyber-security wrong.
That is not to imply that the effort isn’t there. We aren’t accusing corporate America, en masse, of merely performing cursory oversight or superficial checklist wrangling.
Consider, however, that nearly every company to make cyber-headlines has had the unenviable, accompanying controversies of what they either did not do or did wrong. “So,” the cocky IT guy might say, “we don’t have those headlines because our defenses are superior.”
Perhaps, but it is just as likely is that you just haven’t had a breach dragged into the public spotlight yet. Everybody, potentially, has make mistakes when it comes to cyber-security otherwise the hits wouldn’t keep on coming.
Two recent, high-profile breaches are all over the news these days.
In August, the Securities and Exchange Commission learned that an incident previously detected in 2016 provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system was exploited and resulted in access to non-public information.
There is also Equifax. A data breach announced by consumer credit rating firm compromised the personal information of as many as 143 million Americans.
What can we learn from the attacks? We won’t pretend that either situation will inspire ironclad advice for building fortresses that force bad guys elsewhere. There is, however, food for thought. First and foremost, there will be pain, and lots of it, if executives treat disclosure obligations cavalierly.
Equifax? We don’t know exactly who knew what and when. We do know, however, that if you drag out breach notifications until someone else makes the discovery the delay will not sit well with investors, the media, or regulators.
The no-brainer lesson: Do not, under any circumstances, start dumping executive stock during the way-too-long timeframe between breach discovery and disclosure. There are two scenarios the public will draw from doing so, as Equifax executives apparently did: that they engaged in illicit trading, or were blissfully ignorant of the breach (thereby shirking their duties).
The no-brainer lesson: Do not, under any circumstances, start dumping executive stock during the way-too-long timeframe between breach discovery and disclosure.
We also suggest that a big, data-hungry company like Equifax should take great pains to put qualified people into positions that intersect with cyber-security related positions. When bad things happen, watching folks in these high-level positions cluck about before indulging the quick exit of early retirement is not a good look at all.
The SEC breach raises a common-sense issue that likewise needs reinforcement: devote needed and adequate resources.
Here we have an agency that stores a nearly incomprehensible amount of public company data, a good chuck of it confidential. The EDGAR system is the backbone of our national market system, the engine of exchanges, and, with only slight exaggeration, the spine of the nation’s economic stability.
In the cyber-security world, it is expensive to stay ahead with needed technology and software. That is why the Dodd-Frank Act authorized the SEC to create a reserve fund from registration feed, raising up to $100 million for security and technology enhancements.
Enter the Trump Administration and plans to eliminate that fund.
Even SEC Commissioner Jay Clayton, an otherwise good foot soldier for the administration, is breaking ranks over this. “I think we need to spend more money,” he told the Senate Banking Committee. “I will not be asking for a flat budget in Fiscal Year 2019. We are going to need more money for cyber-security and IT and I intend to ask for it.”
As for the EDGAR breach, the vulnerability was a defect in custom piece of software used to provide a staging area for not-yet-public filings. The lesson there is that the more customized software is, the more likely it is to be vulnerable.
We are surrounded by revolutionary technologies and the desire is to have firm-specific GRC, ERM, and RegTech solutions. All well and good, but specialization is proportional to risk. Testing, and risk disclosures, should be adjusted accordingly.
Ignoring knowable vulnerabilities with cookie-cutter risk assessments is red meat for the regulators and class action plaintiffs who will soon come calling.
Another thing that will bring all the boys to the yard: playing fast and loose with materiality. Yes, it can be an elusive concept open to interpretation. Very few arguments will sway folks that what happened at Equifax wasn’t material to investors.
When Yahoo! Suffered a breach last year, 500 million users were affected. Yet, the company tried to claim that didn’t the materiality threshold. Yeah. Sure thing, guys. Gotcha.
Senator Jack Reed, a Democrat from Rhode Island, has pointed out that of roughly 9,000 public companies, since 2010 fewer than 100 of them have deemed any level of cyber-incursion significant enough to meet the materiality standard for notifying the public. He calls it “absolutely unacceptable” and it is hard to disagree.
Every firm will someday face a data beach, whether large or small. What may be your corporate undoing isn’t the attack, but the pure stupidity of starving budgets, ignoring disclosure obligations, and customizing software without accompanying defenses.
To quote the legendary comic strip character Pogo: “We have met the enemy, and he is us.”