[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] US corporate security disclosure plan won't help
US corporate security disclosure plan won't help
By Mark Rasch, SecurityFocus
Posted: 20/10/2003 at 12:52 GMT
In an effort to shore up the security of the US' critical infrastructures,
the secretary of the Department of Homeland Security recently proposed
that all publicly-traded companies disclose in their filings with the
Securities and Exchange Commission precisely what they are doing to
protect the security, confidentiality, integrity and availability of their
electronic information and databases.
Harkening back to the end of the last millennium, Tom Ridge suggested in a
speech before the Business Software Alliance that cyber security problems
were similar to the problems presented to publicly traded companies before
Y2K. Ridge suggested that "we need to talk about some kind of public
disclosure. What are you doing about your security, physical and cyber
security? Tell your shareholders, tell your employees, tell the
communities within which you operate".
It's a worthy idea to ponder, but two underlying questions remain
unanswered: are investors really going to make investment decisions based
upon such disclosures, and wouldn't any meaningful disclosures provide
hackers and criminals with a roadmap to vulnerabilities?
All publicly traded companies in the US are required to publicly file
disclosure statements that reveal all known material events, trends or
uncertainties that might affect the value of the company. The purpose of
these disclosures is to alert both shareholders and investors of anything
that could impact share value. Management is required to explain not only
the current financial condition of the company, but also, to some extent,
what it believes will be the future financial condition of the company, in
light of anticipated trends.
To do this, the company files with the SEC a disclosure called
"Management's Discussion and Analysis of Financial Condition and Results
of Operations" (MD&A).
Additionally, the anti-fraud provisions of the securities laws require
companies to publicly reveal any information that could materially affect
the share price. Essentially, you have to tell investors if there is
anything you know that could affect the share price.
In this regard, cyber security can be seen as purple elephant in the
corner - everyone sees it, but nobody wants to talk about it. Let's face
it, if there is a significant attack on a company's electronic
infrastructure, or a significant loss of reputation as a result of an
attack, the publicly traded company you have just invested your 401(k)
funds in could turn out to be a complete bust. Sometimes, the company
cannot recover. When Tim Lloyd's Trojan destroyed all the files of his
employer, Omega Engineering, in July 1996, the company essentially went
out of business. A similar result occurred three months later when a
disgruntled employee wiped out all of the computer files at Digital
The question is, how much is a company obliged to disclose. The legal test
here is one of materiality. What would a reasonably prudent investor want
to know about the state of a company's computer security that could affect
his or her decision whether or not to invest?
Y2K a Poor Analogy
With Y2K, you knew (well, you thought you knew) that something was going
to happen on 1 January, 2000. You either were prepared for it, or you
weren't. You either took some effort to remediate, or you didn't. You
either tested for vulnerability, or you didn't. Or sometimes something in
In 1998, with the Y2K bug looming, both Congress and the SEC promulgated
laws and regulations that required companies to disclose (1) the company's
state of Y2K readiness; (2) the costs to address the company's Year 2000
issues; (3) the risks of the company's Year 2000 issues; and (4) the
company's contingency plans. While the precise nature of the disclosure
requirements were not set out by the SEC, essentially you told your
shareholders and investors either 'we are ready for Y2K and this is why',
or 'we aren't'.
Cyber security isn't so simple.
Already companies have to disclose anything that could materially affect
their stock price - either in the past (things that have already occurred)
or the future (what the SEC calls "forward looking statements"). Companies
have estimated the cost of the Nimda worm alone at $2.6 billion, Code Red
at $1.2 billion, the Melissa virus at $385 million, and the Mafiaboy DDoS
attacks an additional $1.2 billion. And yet, despite the magnitude of
these stated losses, not a single company has filed an SEC disclosure
statement to its investors or potential investors saying, 'Hey, our
company didn't do as well as expected this quarter because of losses
resulting from the attack.'
The reason lies in the test for materiality. While the destruction of its
entire file system was material to companies like Omega, the diversion of
corporate resources resulting from attacks like Nimda, or Code Red can be
swept under the rug by most large institutions as a 'cost of doing
business'. Indeed, most companies don't keep accurate statistics about the
true costs of cyber security, much less the costs of not providing it.
It is therefore difficult for companies to make a business case within the
institution for dedicating appropriate resources to fight cyber attacks -
much less convince them to disclose their spending to the public.
So what would happen if companies were required to disclose to the public
and the SEC what they were doing in the area of computer security? First,
you'd see a lot of banal and meaningless statements like, 'We have
state-of-the-art security,' or, 'We spent four per cent of our overall IT
budget on security last year' or 'We are substantially modernising our IT
Blueprints for Attacks
Are such statements really useful to investors? What is the right amount
of money to be spent on security? What constitutes security spending? Are
you spending on the right tools, technologies, and training? Are you truly
secure? What are the threats and risks to you and your industry? Why have
you picked that level of security spending? Where do you stand in relation
to others similarly situated? It's pretty complicated stuff for your
average investor to take in. Moreover, I would hardly ever expect a
company to voluntarily disclose that their security is inadequate.
Alternatively, a company could decide to go the other way and disclose a
great deal of detail about what it is doing for security. Explain the
nature and extent of its security technology, give exact dollar figures
spent on security (both totals and percentages), and explain the new
security strategy to be rolled out next year. The problem with this
approach is that, the greater the detail about what you are doing, the
more you tell potential attackers about what you are not doing. The
disclosure makes you more vulnerable to attack.
Companies already have a duty to investors to ensure that they are
protecting all corporate assets, including information assets. Corporate
officers, directors, and auditors act as a fiduciary to their shareholders
to make sure that corporate information assets are available,
confidential, and reliable. While they are entitled to exercise business
judgment in deciding how much to spend to protect these assets (and how
exactly to spend it), they are ultimately responsible to the shareholders
if this judgment proves unsound.
Furthermore, new regulations and laws like Sarbannes Oxley and the Gramm
Leach Bliley Act dictate that companies ensure the confidentiality of
personal financial information, and the reliability of SEC disclosures.
I think that's enough.
Secretary Ridge's theory seems to be that if companies had to tell their
investors what they were doing about security, they would do more. But
it's clear that a failure to adequately protect information assets against
foreseeable threats - whether cyber attacks or a malfunctioning sprinkler
system - is already material to an investor. Additional disclosures won't
add anything of value, and could cause some damage.
Mark D. Rasch, JD, is a former head of the Justice Department's computer
crime unit, and now serves as Senior Vice President and Chief Security
Counsel at Solutionary, Inc.
Copyright ? SecurityFocus
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.