Feeds

US corporate security disclosure plan won't help

Bad idea

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Analysis In an effort to shore up the security of the US' critical infrastructures, the secretary of the Department of Homeland Security recently proposed that all publicly-traded companies disclose in their filings with the Securities and Exchange Commission precisely what they are doing to protect the security, confidentiality, integrity and availability of their electronic information and databases.

Harkening back to the end of the last millennium, Tom Ridge suggested in a speech before the Business Software Alliance that cyber security problems were similar to the problems presented to publicly traded companies before Y2K. Ridge suggested that "we need to talk about some kind of public disclosure. What are you doing about your security, physical and cyber security? Tell your shareholders, tell your employees, tell the communities within which you operate".

It's a worthy idea to ponder, but two underlying questions remain unanswered: are investors really going to make investment decisions based upon such disclosures, and wouldn't any meaningful disclosures provide hackers and criminals with a roadmap to vulnerabilities?

All publicly traded companies in the US are required to publicly file disclosure statements that reveal all known material events, trends or uncertainties that might affect the value of the company. The purpose of these disclosures is to alert both shareholders and investors of anything that could impact share value. Management is required to explain not only the current financial condition of the company, but also, to some extent, what it believes will be the future financial condition of the company, in light of anticipated trends.

To do this, the company files with the SEC a disclosure called "Management's Discussion and Analysis of Financial Condition and Results of Operations" (MD&A).

Additionally, the anti-fraud provisions of the securities laws require companies to publicly reveal any information that could materially affect the share price. Essentially, you have to tell investors if there is anything you know that could affect the share price.

In this regard, cyber security can be seen as purple elephant in the corner - everyone sees it, but nobody wants to talk about it. Let's face it, if there is a significant attack on a company's electronic infrastructure, or a significant loss of reputation as a result of an attack, the publicly traded company you have just invested your 401(k) funds in could turn out to be a complete bust. Sometimes, the company cannot recover. When Tim Lloyd's Trojan destroyed all the files of his employer, Omega Engineering, in July 1996, the company essentially went out of business. A similar result occurred three months later when a disgruntled employee wiped out all of the computer files at Digital Technologies Group.

The question is, how much is a company obliged to disclose. The legal test here is one of materiality. What would a reasonably prudent investor want to know about the state of a company's computer security that could affect his or her decision whether or not to invest?

Y2K a Poor Analogy

With Y2K, you knew (well, you thought you knew) that something was going to happen on 1 January, 2000. You either were prepared for it, or you weren't. You either took some effort to remediate, or you didn't. You either tested for vulnerability, or you didn't. Or sometimes something in between.

In 1998, with the Y2K bug looming, both Congress and the SEC promulgated laws and regulations that required companies to disclose (1) the company's state of Y2K readiness; (2) the costs to address the company's Year 2000 issues; (3) the risks of the company's Year 2000 issues; and (4) the company's contingency plans. While the precise nature of the disclosure requirements were not set out by the SEC, essentially you told your shareholders and investors either 'we are ready for Y2K and this is why', or 'we aren't'.

Cyber security isn't so simple.

Already companies have to disclose anything that could materially affect their stock price - either in the past (things that have already occurred) or the future (what the SEC calls "forward looking statements"). Companies have estimated the cost of the Nimda worm alone at $2.6 billion, Code Red at $1.2 billion, the Melissa virus at $385 million, and the Mafiaboy DDoS attacks an additional $1.2 billion. And yet, despite the magnitude of these stated losses, not a single company has filed an SEC disclosure statement to its investors or potential investors saying, 'Hey, our company didn't do as well as expected this quarter because of losses resulting from the attack.'

The reason lies in the test for materiality. While the destruction of its entire file system was material to companies like Omega, the diversion of corporate resources resulting from attacks like Nimda, or Code Red can be swept under the rug by most large institutions as a 'cost of doing business'. Indeed, most companies don't keep accurate statistics about the true costs of cyber security, much less the costs of not providing it.

It is therefore difficult for companies to make a business case within the institution for dedicating appropriate resources to fight cyber attacks - much less convince them to disclose their spending to the public.

So what would happen if companies were required to disclose to the public and the SEC what they were doing in the area of computer security? First, you'd see a lot of banal and meaningless statements like, 'We have state-of-the-art security,' or, 'We spent four per cent of our overall IT budget on security last year' or 'We are substantially modernising our IT security'.

Blueprints for Attacks

Are such statements really useful to investors? What is the right amount of money to be spent on security? What constitutes security spending? Are you spending on the right tools, technologies, and training? Are you truly secure? What are the threats and risks to you and your industry? Why have you picked that level of security spending? Where do you stand in relation to others similarly situated? It's pretty complicated stuff for your average investor to take in. Moreover, I would hardly ever expect a company to voluntarily disclose that their security is inadequate.

Alternatively, a company could decide to go the other way and disclose a great deal of detail about what it is doing for security. Explain the nature and extent of its security technology, give exact dollar figures spent on security (both totals and percentages), and explain the new security strategy to be rolled out next year. The problem with this approach is that, the greater the detail about what you are doing, the more you tell potential attackers about what you are not doing. The disclosure makes you more vulnerable to attack.

Companies already have a duty to investors to ensure that they are protecting all corporate assets, including information assets. Corporate officers, directors, and auditors act as a fiduciary to their shareholders to make sure that corporate information assets are available, confidential, and reliable. While they are entitled to exercise business judgment in deciding how much to spend to protect these assets (and how exactly to spend it), they are ultimately responsible to the shareholders if this judgment proves unsound.

Furthermore, new regulations and laws like Sarbannes Oxley and the Gramm Leach Bliley Act dictate that companies ensure the confidentiality of personal financial information, and the reliability of SEC disclosures.

I think that's enough.

Secretary Ridge's theory seems to be that if companies had to tell their investors what they were doing about security, they would do more. But it's clear that a failure to adequately protect information assets against foreseeable threats - whether cyber attacks or a malfunctioning sprinkler system - is already material to an investor. Additional disclosures won't add anything of value, and could cause some damage.

Mark D. Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary, Inc.

Copyright © SecurityFocus

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?