SEC Roundtable

April 04, 2014, Rick Dakin, CEO, Co-founder and Chief Security Strategist

On Wednesday, I attended a roundtable discussion the Securities and Exchange Commission held to gather information on cybersecurity trends and potential disclosure requirements for regulated public companies and stock exchanges.

The recent large-scale breaches in the retail sector loomed over all the discussions. To date, investors have mostly held back from punishing public companies that suffer large data breaches. That fact – along with the serious PR and sales repercussions that come with any public admittance of a security problem – led many of the executives in the room to argue the SEC should not require cyber-risks to be disclosed.

The lack of a national standard for disclosure puts public company executives and boards of directors in an awkward spot. None of the participants ask what standards a company like Target could use to ward off almost 100 class action lawsuits for failing to protect material operations and provide more thoughtful disclosure. By refusing to define the minimum levels of diligence required of the board for cyber risk disclosure, the SEC is leaving an open field for plaintiffs’ attorneys.

In light of this exposure, every leadership team needs to take a holistic approach to managing IT Risk, an approach that starts with basic questions like: What information do we have? Where is it? Who’s responsible for protecting it? And, in the worst case scenario, what happens if it’s compromised?

The discussions regarding capital markets were more insightful. These groups acknowledged that both FS ISAC and CHEF were active industry forums for discussing cyber-attacks. The exchanges also agreed that they would never disclose a cyber-attack – for fear of the potential negative impact on operations – but they understand the potential of serious disruptions from Denial of Service attacks or the stealing of a credential that causes a wave of fraudulent trades.  

My number one takeaway from the sessions is that cyber-attacks will continue unabated until we finally see the Big One. That’s when people will be willing to step forward and address the problem.

In the meantime, there is enough awareness of the issues among these companies that we expect to see the use of cyber insurance coverage increase quickly. The take rates on dedicated cyber policies and critical infrastructure policies increased by 20 percent and 40 percent, respectively, last year.

Companies recognize they will take a serious shot at some point. Right now, their plan seems to be transferring that risk to insurance carriers who do not yet have enough loss experience to truly “insure” the loss or damage.  As the large scale data breaches increase in frequency and intensity, the carriers will have a much more defined database to predict losses in selected industries with each insured company clearly identifying the risk mitigation efforts already in place.

Cybersecurity assessors like Coalfire will play a critical role in determining the effective deployment of risk mitigation controls to help carriers better identify the residual risk in systems.  In the future, the direct connection between enterprise risk management programs to insurance programs will help both the carriers and the insureds.
 

Rick Dakin

Author

Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics

Archives

Tags