Feeds

US corporate security disclosure plan won't help

Bad idea

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Analysis In an effort to shore up the security of the US' critical infrastructures, the secretary of the Department of Homeland Security recently proposed that all publicly-traded companies disclose in their filings with the Securities and Exchange Commission precisely what they are doing to protect the security, confidentiality, integrity and availability of their electronic information and databases.

Harkening back to the end of the last millennium, Tom Ridge suggested in a speech before the Business Software Alliance that cyber security problems were similar to the problems presented to publicly traded companies before Y2K. Ridge suggested that "we need to talk about some kind of public disclosure. What are you doing about your security, physical and cyber security? Tell your shareholders, tell your employees, tell the communities within which you operate".

It's a worthy idea to ponder, but two underlying questions remain unanswered: are investors really going to make investment decisions based upon such disclosures, and wouldn't any meaningful disclosures provide hackers and criminals with a roadmap to vulnerabilities?

All publicly traded companies in the US are required to publicly file disclosure statements that reveal all known material events, trends or uncertainties that might affect the value of the company. The purpose of these disclosures is to alert both shareholders and investors of anything that could impact share value. Management is required to explain not only the current financial condition of the company, but also, to some extent, what it believes will be the future financial condition of the company, in light of anticipated trends.

To do this, the company files with the SEC a disclosure called "Management's Discussion and Analysis of Financial Condition and Results of Operations" (MD&A).

Additionally, the anti-fraud provisions of the securities laws require companies to publicly reveal any information that could materially affect the share price. Essentially, you have to tell investors if there is anything you know that could affect the share price.

In this regard, cyber security can be seen as purple elephant in the corner - everyone sees it, but nobody wants to talk about it. Let's face it, if there is a significant attack on a company's electronic infrastructure, or a significant loss of reputation as a result of an attack, the publicly traded company you have just invested your 401(k) funds in could turn out to be a complete bust. Sometimes, the company cannot recover. When Tim Lloyd's Trojan destroyed all the files of his employer, Omega Engineering, in July 1996, the company essentially went out of business. A similar result occurred three months later when a disgruntled employee wiped out all of the computer files at Digital Technologies Group.

The question is, how much is a company obliged to disclose. The legal test here is one of materiality. What would a reasonably prudent investor want to know about the state of a company's computer security that could affect his or her decision whether or not to invest?

Y2K a Poor Analogy

With Y2K, you knew (well, you thought you knew) that something was going to happen on 1 January, 2000. You either were prepared for it, or you weren't. You either took some effort to remediate, or you didn't. You either tested for vulnerability, or you didn't. Or sometimes something in between.

In 1998, with the Y2K bug looming, both Congress and the SEC promulgated laws and regulations that required companies to disclose (1) the company's state of Y2K readiness; (2) the costs to address the company's Year 2000 issues; (3) the risks of the company's Year 2000 issues; and (4) the company's contingency plans. While the precise nature of the disclosure requirements were not set out by the SEC, essentially you told your shareholders and investors either 'we are ready for Y2K and this is why', or 'we aren't'.

Cyber security isn't so simple.

Already companies have to disclose anything that could materially affect their stock price - either in the past (things that have already occurred) or the future (what the SEC calls "forward looking statements"). Companies have estimated the cost of the Nimda worm alone at $2.6 billion, Code Red at $1.2 billion, the Melissa virus at $385 million, and the Mafiaboy DDoS attacks an additional $1.2 billion. And yet, despite the magnitude of these stated losses, not a single company has filed an SEC disclosure statement to its investors or potential investors saying, 'Hey, our company didn't do as well as expected this quarter because of losses resulting from the attack.'

The reason lies in the test for materiality. While the destruction of its entire file system was material to companies like Omega, the diversion of corporate resources resulting from attacks like Nimda, or Code Red can be swept under the rug by most large institutions as a 'cost of doing business'. Indeed, most companies don't keep accurate statistics about the true costs of cyber security, much less the costs of not providing it.

It is therefore difficult for companies to make a business case within the institution for dedicating appropriate resources to fight cyber attacks - much less convince them to disclose their spending to the public.

So what would happen if companies were required to disclose to the public and the SEC what they were doing in the area of computer security? First, you'd see a lot of banal and meaningless statements like, 'We have state-of-the-art security,' or, 'We spent four per cent of our overall IT budget on security last year' or 'We are substantially modernising our IT security'.

Blueprints for Attacks

Are such statements really useful to investors? What is the right amount of money to be spent on security? What constitutes security spending? Are you spending on the right tools, technologies, and training? Are you truly secure? What are the threats and risks to you and your industry? Why have you picked that level of security spending? Where do you stand in relation to others similarly situated? It's pretty complicated stuff for your average investor to take in. Moreover, I would hardly ever expect a company to voluntarily disclose that their security is inadequate.

Alternatively, a company could decide to go the other way and disclose a great deal of detail about what it is doing for security. Explain the nature and extent of its security technology, give exact dollar figures spent on security (both totals and percentages), and explain the new security strategy to be rolled out next year. The problem with this approach is that, the greater the detail about what you are doing, the more you tell potential attackers about what you are not doing. The disclosure makes you more vulnerable to attack.

Companies already have a duty to investors to ensure that they are protecting all corporate assets, including information assets. Corporate officers, directors, and auditors act as a fiduciary to their shareholders to make sure that corporate information assets are available, confidential, and reliable. While they are entitled to exercise business judgment in deciding how much to spend to protect these assets (and how exactly to spend it), they are ultimately responsible to the shareholders if this judgment proves unsound.

Furthermore, new regulations and laws like Sarbannes Oxley and the Gramm Leach Bliley Act dictate that companies ensure the confidentiality of personal financial information, and the reliability of SEC disclosures.

I think that's enough.

Secretary Ridge's theory seems to be that if companies had to tell their investors what they were doing about security, they would do more. But it's clear that a failure to adequately protect information assets against foreseeable threats - whether cyber attacks or a malfunctioning sprinkler system - is already material to an investor. Additional disclosures won't add anything of value, and could cause some damage.

Mark D. Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary, Inc.

Copyright © SecurityFocus

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.