The Securities and Exchange Commission (SEC) has formally asked publicly traded companies in the U.S. to disclose when they've been hacked or suffered a data breach. The request could drastically alter how corporations traditionally handle cybercrime attacks and the amount of staff and effort they use to prevent such incidents.
The SEC guidance, issued yesterday (Oct. 13), calls for corporations to disclose "timely, comprehensive, and accurate information" regarding any cybercrime incident that has a financial impact on the company or could mislead investors.
Though it sounds straightforward and reasonable from an investor's perspective, there is currently no federal mandate requiring a corporation to let anyone know if it's suffered a cyberattack. This new direction from the SEC — it is a formal guidance, but not a law — could cause big businesses, if they choose to adhere to the guidance, to face the public when hit by hackers instead of hiding behind a veil of secrecy.
Why disclose when you don't have to?
"Underreporting of IT security incidents has been a perennial problem for decades," Steve Santorelli, director of global outreach at the Internet security research group Team Cymru, told SecurityNewsDaily. A former Scotland Yard police officer, Santorelli says corporations systematically underestimate the problems they face from hackers.
Chester Wisniewski, senior security advisor for the security firm Sophos, told SecurityNewsDaily that the majority of companies choose not to come forward because "the risk to their reputation and loss of confidence from customers and investors is too high."
"Most incidents are not even reported to law enforcement in my experience," Wisniewski added. He did single out Google for choosing to come forward after the 2009 "Aurora" breach in which it, along with hundreds of other companies, were hit by China-based hackers.
The SEC guidance will cause a flood of breach disclosures
Under the new SEC guidance, Santorelli and Wisniewski believe there will be a major uptick in data breach disclosures from companies who've traditionally swept such incidents under the rug.
Wisniewski referenced Massachusetts's data breach law, which led to a rise in disclosures after mandating that companies must report when personally identifiable information is stolen or compromised. "If you now include anything that may increase financial liability or have a material impact on the profitability of a business, you are likely to see another reporting spike," Wisniewski told SecurityNewsDaily.
Or it won't
However, the SEC's guidance is not a law, and Kurt Baumgartner, senior security researcher at the security firm Kaspersky Lab, does not expect big businesses to change their policies to comply with a suggestion.
"The guidance will most likely not result in a dramatic increase of breach reports," Baumgartner told SecurityNewsDaily. "The text is printed as 'guidance' by the commission and it has not passed as new regulation." Only "solid, uniform, federal breach notification legislation " would force corporations to come forward and report breaches, he said.
Baumgartner said the most surprising aspect to this issue is that while companies are sometimes able to stay silent and keep their investors in the dark, they face few repercussions, even after massive incidents that result in millions of dollars lost.
"The problem [of data breaches] is much larger than what has been reported," Baumgartner said. He quoted Senator Jay Rockefeller (D-W.Va.), chairman of the Senate Commerce Committee, who "estimated that intellectual property worth billions of dollars has been stolen. Perhaps the senator should add some zeroes to that figure if we are discussing the past ten years of cyber theft and espionage."
Data breaches are making companies — and cybercriminals — smarter
Recent high-profile victims of network intrusions, part of an unfortunately long list, include Google, Morgan Stanley, Sony, Stanford Hospital, Epsilon Yale University and security-token maker RSA.
"The events and major breaches of this year to date have really served to bring these issues to the fore of public debate, and that's obviously a positive step," Santorelli said.
So if the SEC guidance urges companies to invest more in IT and security, companies would have the advantage over the criminals trying to steal their sensitive information, right? Not necessarily, Baumgartner said.
While the headline-making hacks have made corporate security a hot topic and drawn talented professionals to the frontlines, Baumgartner said cybercriminals have upped their game as well. "The attackers are shaking it up, because they are picking apart existing security, forcing innovation and real attention to the matter."
Will companies start to take security more seriously?
As with any other business dealing, money is the main driving factor in whether or not corporations will start taking precautions to prevent a cybercrime incident that they would then feel compelled to disclose.
"Economics has always driven decisions in the business world," Santorelli said. "If you get a reputation for poor security, that can be seen as a major competitive advantage for your rivals." However, if there are industry requirements that force companies to disclose cybercrime incidents, "then arguably the decision to disclose is taken out of the hands of the victim company."
Baumgartner is confident that companies will take steps to increase security, but fears that such reinforcements might not come in time to prevent the next major cyberattack.
He told SecurityNewsDaily that because of the recession, "States and corporations are still grappling with revenue shortfalls and drops, which will impact security spending overall."
While the SEC guidance could see companies shifting their focus to fortifying their networks and preventing cyberattacks, Baumgartner remains "pretty confident that we will see more breaches that could have been avoided over the next couple of years."