Rob Swystun, Pristine Advisers
As if suffering through a cyber attack isn’t bad enough, now companies that have experienced one are under increasing scrutiny from the U.S. Securities and Exchange Commission to see how well they handled it.
The SEC is investigating companies that have been the victims of cyber attacks to ascertain whether they adequately guarded data and informed investors about the impact of breaches, according to sources who are familiar with the investigations but who wish to remain anonymous, as reported by Dave Michaels in The Columbus Dispatch by way of Bloomberg News.
Department store Target is among the companies being investigated, according to company filings. Target had a major breach last year, allowing an outside source to access 40 million of its customers’ debit and credit card information.
In May, the store released a statement that said the SEC, Federal Trade Commission and state attorneys general are “investigating events related to the data breach, including how it occurred, its consequences and our responses.”
As of May 3, that particular cyber attack had cost the company $52 million, according to Target.
Targeting the corporate victims of cyber crime marks a shift in tactics for the SEC in its ongoing fight against hackers and their attacks on public companies, brokerages and financial markets.
The SEC had previously focused on guiding public companies through best practices for disclosing risks and ensuring they had adequate defenses against cyber attacks. But now they’re holding those same companies accountable if they’ve found that the companies haven’t done their due diligence to protect their stakeholders.
“The SEC issues subpoenas when they believe the disclosure is either incomplete or misleading,” said Linda Griggs, a partner at Morgan, Lewis & Brockius. “It’s totally consistent for them to be looking at this kind of thing.” Brockius previously worked at the SEC as chief counsel to the agency’s chief accountant.
The SEC is also investigating companies’ internal controls in those cases where the value of assets may have been affected by a breach, Michaels reports one of the SEC sources as saying.
Just how much information companies should disclose about security breaches has provoked disagreement among attorneys, regulators and activist investors. While there is no actual requirement to disclose cyber attacks, public companies are obliged to disclose to shareholders any events that may end up affecting the share price and any news that could influence their decision to buy or sell shares.
How costly are cyber attacks in the US?
According to the 2013 Cost of Cyber Crime Study: United States, based on a representative sample of 60 organizations in various industry sectors, (and sponsored by HP Enterprise Security):
- The average annualized cost of cyber crime for the 60 organizations in the study was $11.6 million per year, with a range of $1.3 million to $58 million. In 2012, the average annualized cost was $8.9 million. This represents an increase in cost of 26% or $2.6 million from the results of the 2012 study.
- The companies in the study experienced 122 successful attacks per week and two successful attacks per company per week, representing an increase of 18% from the 2012 study, which reported 102 successful attacks on average per week.
The study defined cyber attacks as:
- stealing an organization’s intellectual property,
- confiscating online bank accounts,
- creating and distributing viruses on other computers,
- posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.
The most costly cyber crimes, according to the report, are those caused by denial of service, malicious insiders and web-based attacks. It states that mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing and enterprise governance, risk management and compliance (GRC) solutions.
The loss or misuse of information assets is the most significant consequence of a cyber attack, the report says.
In the ongoing battle against cyber crime, holding companies’ feet to the fire a little bit might just prompt them to bump up their online security and act as a reminder that just when you feel safe, that’s when you’re at your most vulnerable. What do you think? Will holding the victims accountable help ensure companies are more diligent about thwarting cyber attacks in the future?