SEC Roundtable

April 04, 2014, Rick Dakin, CEO, Co-founder and Chief Security Strategist

On Wednesday, I attended a roundtable discussion the Securities and Exchange Commission held to gather information on cybersecurity trends and potential disclosure requirements for regulated public companies and stock exchanges.

The recent large-scale breaches in the retail sector loomed over all the discussions. To date, investors have mostly held back from punishing public companies that suffer large data breaches. That fact – along with the serious PR and sales repercussions that come with any public admittance of a security problem – led many of the executives in the room to argue the SEC should not require cyber-risks to be disclosed.

The lack of a national standard for disclosure puts public company executives and boards of directors in an awkward spot. None of the participants ask what standards a company like Target could use to ward off almost 100 class action lawsuits for failing to protect material operations and provide more thoughtful disclosure. By refusing to define the minimum levels of diligence required of the board for cyber risk disclosure, the SEC is leaving an open field for plaintiffs’ attorneys.

In light of this exposure, every leadership team needs to take a holistic approach to managing IT Risk, an approach that starts with basic questions like: What information do we have? Where is it? Who’s responsible for protecting it? And, in the worst case scenario, what happens if it’s compromised?

The discussions regarding capital markets were more insightful. These groups acknowledged that both FS ISAC and CHEF were active industry forums for discussing cyber-attacks. The exchanges also agreed that they would never disclose a cyber-attack – for fear of the potential negative impact on operations – but they understand the potential of serious disruptions from Denial of Service attacks or the stealing of a credential that causes a wave of fraudulent trades.  

My number one takeaway from the sessions is that cyber-attacks will continue unabated until we finally see the Big One. That’s when people will be willing to step forward and address the problem.

In the meantime, there is enough awareness of the issues among these companies that we expect to see the use of cyber insurance coverage increase quickly. The take rates on dedicated cyber policies and critical infrastructure policies increased by 20 percent and 40 percent, respectively, last year.

Companies recognize they will take a serious shot at some point. Right now, their plan seems to be transferring that risk to insurance carriers who do not yet have enough loss experience to truly “insure” the loss or damage.  As the large scale data breaches increase in frequency and intensity, the carriers will have a much more defined database to predict losses in selected industries with each insured company clearly identifying the risk mitigation efforts already in place.

Cybersecurity assessors like Coalfire will play a critical role in determining the effective deployment of risk mitigation controls to help carriers better identify the residual risk in systems.  In the future, the direct connection between enterprise risk management programs to insurance programs will help both the carriers and the insureds.
 

Rick Dakin

Author

Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS
Top