Two interesting pieces of news came from the Securities and Exchange Commission (SEC) involving cyber security. The first was a warning to SEC staffers that their personal brokerage account information may have been compromised. The problem, according to a Reuters article, was a security flaw in an ethics compliance program put into place due to concerns of insider trading. According to the article:
Chief Information Officer Thomas Bayer said that the contractor hired to operate a computer program that tracks trades had violated its agreement with the SEC by providing names and account numbers to a subcontractor without permission.
"We are not aware of any actual misuse of the data," Bayer wrote. "Nevertheless, it is the SEC's policy to provide notification of any incident that presents the potential for unauthorized access to personal information."
Alerting its staff, the SEC set an example by following the new guidelines the agency released last week, which state that publicly traded companies must report incidents that result, or could possibly result, in cyber theft or a risk of compromised data. As the Washington Post stated:
The SEC guidance clarifies a long-standing requirement that companies report "material" developments, or matters significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no exception.
The Washington Post article pointed out that the new guidelines likely won't be very popular - or even followed - among the world's largest corporations, which like to work under a shroud of secrecy. Jody Westby, chief executive of Global Cyber Risk, was quoted in the article saying that she doesn't believe corporations are suddenly going to change their attitudes about reporting cyber attacks. The article also said:
Westby said she advised a Fortune 100 company that had suffered a major breach in 2008 that the company report it to the SEC. "They just laughed and said, We don't agree,'?" she recalled. "Companies involved in breaches are very reluctant to reveal what happened, and much less tell the SEC what happened. Why? Because of a fear of reputational damage."
She has a point. Even though it seemed like there was a report of a hack or cyber attack at least once a week this past year, how many do you remember? Unless the breach is extreme, I don't think there will be lingering effects for well-regarded companies.
I applaud the SEC's attempts to get companies to fess up about potential attacks on their networks. Now it is up to corporations to take cyber security seriously enough to volunteer the information when an attack happens.