US corporate security disclosure plan won't help
Analysis In an effort to shore up the security of the US' critical infrastructures, the secretary of the Department of Homeland Security recently proposed that all publicly-traded companies disclose in their filings with the Securities and Exchange Commission precisely what they are doing to protect the security, confidentiality, integrity and availability of their electronic information and databases.
Harkening back to the end of the last millennium, Tom Ridge suggested in a speech before the Business Software Alliance that cyber security problems were similar to the problems presented to publicly traded companies before Y2K. Ridge suggested that "we need to talk about some kind of public disclosure. What are you doing about your security, physical and cyber security? Tell your shareholders, tell your employees, tell the communities within which you operate".
It's a worthy idea to ponder, but two underlying questions remain unanswered: are investors really going to make investment decisions based upon such disclosures, and wouldn't any meaningful disclosures provide hackers and criminals with a roadmap to vulnerabilities?
All publicly traded companies in the US are required to publicly file disclosure statements that reveal all known material events, trends or uncertainties that might affect the value of the company. The purpose of these disclosures is to alert both shareholders and investors of anything that could impact share value. Management is required to explain not only the current financial condition of the company, but also, to some extent, what it believes will be the future financial condition of the company, in light of anticipated trends.
To do this, the company files with the SEC a disclosure called "Management's Discussion and Analysis of Financial Condition and Results of Operations" (MD&A).
Additionally, the anti-fraud provisions of the securities laws require companies to publicly reveal any information that could materially affect the share price. Essentially, you have to tell investors if there is anything you know that could affect the share price.
In this regard, cyber security can be seen as purple elephant in the corner - everyone sees it, but nobody wants to talk about it. Let's face it, if there is a significant attack on a company's electronic infrastructure, or a significant loss of reputation as a result of an attack, the publicly traded company you have just invested your 401(k) funds in could turn out to be a complete bust. Sometimes, the company cannot recover. When Tim Lloyd's Trojan destroyed all the files of his employer, Omega Engineering, in July 1996, the company essentially went out of business. A similar result occurred three months later when a disgruntled employee wiped out all of the computer files at Digital Technologies Group.
The question is, how much is a company obliged to disclose. The legal test here is one of materiality. What would a reasonably prudent investor want to know about the state of a company's computer security that could affect his or her decision whether or not to invest?
Y2K a Poor Analogy
With Y2K, you knew (well, you thought you knew) that something was going to happen on 1 January, 2000. You either were prepared for it, or you weren't. You either took some effort to remediate, or you didn't. You either tested for vulnerability, or you didn't. Or sometimes something in between.
In 1998, with the Y2K bug looming, both Congress and the SEC promulgated laws and regulations that required companies to disclose (1) the company's state of Y2K readiness; (2) the costs to address the company's Year 2000 issues; (3) the risks of the company's Year 2000 issues; and (4) the company's contingency plans. While the precise nature of the disclosure requirements were not set out by the SEC, essentially you told your shareholders and investors either 'we are ready for Y2K and this is why', or 'we aren't'.
Cyber security isn't so simple.
Already companies have to disclose anything that could materially affect their stock price - either in the past (things that have already occurred) or the future (what the SEC calls "forward looking statements"). Companies have estimated the cost of the Nimda worm alone at $2.6 billion, Code Red at $1.2 billion, the Melissa virus at $385 million, and the Mafiaboy DDoS attacks an additional $1.2 billion. And yet, despite the magnitude of these stated losses, not a single company has filed an SEC disclosure statement to its investors or potential investors saying, 'Hey, our company didn't do as well as expected this quarter because of losses resulting from the attack.'
The reason lies in the test for materiality. While the destruction of its entire file system was material to companies like Omega, the diversion of corporate resources resulting from attacks like Nimda, or Code Red can be swept under the rug by most large institutions as a 'cost of doing business'. Indeed, most companies don't keep accurate statistics about the true costs of cyber security, much less the costs of not providing it.
It is therefore difficult for companies to make a business case within the institution for dedicating appropriate resources to fight cyber attacks - much less convince them to disclose their spending to the public.
So what would happen if companies were required to disclose to the public and the SEC what they were doing in the area of computer security? First, you'd see a lot of banal and meaningless statements like, 'We have state-of-the-art security,' or, 'We spent four per cent of our overall IT budget on security last year' or 'We are substantially modernising our IT security'.
Blueprints for Attacks
Are such statements really useful to investors? What is the right amount of money to be spent on security? What constitutes security spending? Are you spending on the right tools, technologies, and training? Are you truly secure? What are the threats and risks to you and your industry? Why have you picked that level of security spending? Where do you stand in relation to others similarly situated? It's pretty complicated stuff for your average investor to take in. Moreover, I would hardly ever expect a company to voluntarily disclose that their security is inadequate.
Alternatively, a company could decide to go the other way and disclose a great deal of detail about what it is doing for security. Explain the nature and extent of its security technology, give exact dollar figures spent on security (both totals and percentages), and explain the new security strategy to be rolled out next year. The problem with this approach is that, the greater the detail about what you are doing, the more you tell potential attackers about what you are not doing. The disclosure makes you more vulnerable to attack.
Companies already have a duty to investors to ensure that they are protecting all corporate assets, including information assets. Corporate officers, directors, and auditors act as a fiduciary to their shareholders to make sure that corporate information assets are available, confidential, and reliable. While they are entitled to exercise business judgment in deciding how much to spend to protect these assets (and how exactly to spend it), they are ultimately responsible to the shareholders if this judgment proves unsound.
Furthermore, new regulations and laws like Sarbannes Oxley and the Gramm Leach Bliley Act dictate that companies ensure the confidentiality of personal financial information, and the reliability of SEC disclosures.
I think that's enough.
Secretary Ridge's theory seems to be that if companies had to tell their investors what they were doing about security, they would do more. But it's clear that a failure to adequately protect information assets against foreseeable threats - whether cyber attacks or a malfunctioning sprinkler system - is already material to an investor. Additional disclosures won't add anything of value, and could cause some damage.
Mark D. Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary, Inc.
Copyright © SecurityFocus