Assessing the potential implications of revealing a cyber attack occurrence
In the ever-evolving digital landscape, the importance of transparency in cybersecurity disclosures has become a pressing issue for businesses worldwide. This article explores recent developments, best practices, and the challenges companies face when deciding what cyber events to disclose.
On Tuesday, FireEye filed an 8-K report, revealing that its attackers had targeted the company's Red Team tools, used for diagnostic security purposes. This disclosure underscores the growing trend towards transparency in cybersecurity incidents.
The Securities and Exchange Commission (SEC) has been advocating for more transparency in such matters, taking into account the potential impacts on a company's reputation, financial performance, customer and vendor relationships, or resulting litigation. The SEC's 2018 guidance encourages more cybersecurity disclosures by companies, although it does not recommend detailed disclosures that could compromise ongoing cybersecurity efforts.
However, the decision to disclose a cyber incident is not always straightforward. Companies must determine the full extent of a compromise when an attack is discovered. For instance, the Yahoo data breach, which occurred in 2013 and 2014 and affected 3 billion accounts, was initially kept secret during the acquisition agreement with Verizon in July 2016. The full extent of the breach was not disclosed until 2017.
The Yahoo data breach was caused by a state-sponsored hacking group linked to Russia, highlighting the potential geopolitical implications of cyber incidents. Notifying law enforcement or regulators is often the safest bet, regardless of an incident's severity.
Organizations often choose to abide by breach notification laws in states like California and Massachusetts due to their strictness. At the federal level, the EU's General Data Protection Regulation (GDPR) gives organizations 72 hours to alert their respective regulator after finding a breach.
The SEC's stance on cybersecurity disclosures is not new. The 2011 guidance was published in response to a hack that caused a massive outage on Sony's PlayStation Network. Despite the push for transparency, there are contrasting views on the matter. Grady Summers, EVP of Solutions and Technology at SailPoint, stated that high-threat risks are typically filed in 8-K reports. On the other hand, Curtis Simpson, CISO of Armis, stated that disclosing too much can make a company look worse than they are.
The consequences of inadequate disclosure can be severe. Companies such as PayPal, FedEx, and Zoom have faced stakeholder lawsuits for not being forthcoming enough following cyber incidents. As the digital world continues to evolve, striking the right balance between transparency and discretion in cybersecurity disclosures will remain a critical challenge for businesses.
Read also:
- Linde Wins Major Engineering Design Contract for Equinor's Low Carbon Hydrogen Project at H2H Saltend, Progressing Towards a Greener Future
- Stock markets in Asia experience a surge following a record-breaking rally in U.S. stocks, fueled by optimism towards potential interest rate reductions.
- Dazzling Accomplishment: Constructing a £5m Venture by Age 25
- Transportation via roads plays a critical role in India's shift towards clean energy.
