Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] US corporate security disclosure plan won't help,

US corporate security disclosure plan won't help
By Mark Rasch, SecurityFocus
Posted: 20/10/2003 at 12:52 GMT

In an effort to shore up the security of the US' critical infrastructures, 
the secretary of the Department of Homeland Security recently proposed 
that all publicly-traded companies disclose in their filings with the 
Securities and Exchange Commission precisely what they are doing to 
protect the security, confidentiality, integrity and availability of their 
electronic information and databases. 

Harkening back to the end of the last millennium, Tom Ridge suggested in a 
speech before the Business Software Alliance that cyber security problems 
were similar to the problems presented to publicly traded companies before 
Y2K. Ridge suggested that "we need to talk about some kind of public 
disclosure. What are you doing about your security, physical and cyber 
security? Tell your shareholders, tell your employees, tell the 
communities within which you operate". 

It's a worthy idea to ponder, but two underlying questions remain 
unanswered: are investors really going to make investment decisions based 
upon such disclosures, and wouldn't any meaningful disclosures provide 
hackers and criminals with a roadmap to vulnerabilities? 

All publicly traded companies in the US are required to publicly file 
disclosure statements that reveal all known material events, trends or 
uncertainties that might affect the value of the company. The purpose of 
these disclosures is to alert both shareholders and investors of anything 
that could impact share value. Management is required to explain not only 
the current financial condition of the company, but also, to some extent, 
what it believes will be the future financial condition of the company, in 
light of anticipated trends. 

To do this, the company files with the SEC a disclosure called 
"Management's Discussion and Analysis of Financial Condition and Results 
of Operations" (MD&A). 

Additionally, the anti-fraud provisions of the securities laws require 
companies to publicly reveal any information that could materially affect 
the share price. Essentially, you have to tell investors if there is 
anything you know that could affect the share price. 

In this regard, cyber security can be seen as purple elephant in the 
corner - everyone sees it, but nobody wants to talk about it. Let's face 
it, if there is a significant attack on a company's electronic 
infrastructure, or a significant loss of reputation as a result of an 
attack, the publicly traded company you have just invested your 401(k) 
funds in could turn out to be a complete bust. Sometimes, the company 
cannot recover. When Tim Lloyd's Trojan destroyed all the files of his 
employer, Omega Engineering, in July 1996, the company essentially went 
out of business. A similar result occurred three months later when a 
disgruntled employee wiped out all of the computer files at Digital 
Technologies Group. 

The question is, how much is a company obliged to disclose. The legal test 
here is one of materiality. What would a reasonably prudent investor want 
to know about the state of a company's computer security that could affect 
his or her decision whether or not to invest? 

Y2K a Poor Analogy 
With Y2K, you knew (well, you thought you knew) that something was going 
to happen on 1 January, 2000. You either were prepared for it, or you 
weren't. You either took some effort to remediate, or you didn't. You 
either tested for vulnerability, or you didn't. Or sometimes something in 

In 1998, with the Y2K bug looming, both Congress and the SEC promulgated 
laws and regulations that required companies to disclose (1) the company's 
state of Y2K readiness; (2) the costs to address the company's Year 2000 
issues; (3) the risks of the company's Year 2000 issues; and (4) the 
company's contingency plans. While the precise nature of the disclosure 
requirements were not set out by the SEC, essentially you told your 
shareholders and investors either 'we are ready for Y2K and this is why', 
or 'we aren't'. 

Cyber security isn't so simple. 

Already companies have to disclose anything that could materially affect 
their stock price - either in the past (things that have already occurred) 
or the future (what the SEC calls "forward looking statements"). Companies 
have estimated the cost of the Nimda worm alone at $2.6 billion, Code Red 
at $1.2 billion, the Melissa virus at $385 million, and the Mafiaboy DDoS 
attacks an additional $1.2 billion. And yet, despite the magnitude of 
these stated losses, not a single company has filed an SEC disclosure 
statement to its investors or potential investors saying, 'Hey, our 
company didn't do as well as expected this quarter because of losses 
resulting from the attack.' 

The reason lies in the test for materiality. While the destruction of its 
entire file system was material to companies like Omega, the diversion of 
corporate resources resulting from attacks like Nimda, or Code Red can be 
swept under the rug by most large institutions as a 'cost of doing 
business'. Indeed, most companies don't keep accurate statistics about the 
true costs of cyber security, much less the costs of not providing it. 

It is therefore difficult for companies to make a business case within the 
institution for dedicating appropriate resources to fight cyber attacks - 
much less convince them to disclose their spending to the public. 

So what would happen if companies were required to disclose to the public 
and the SEC what they were doing in the area of computer security? First, 
you'd see a lot of banal and meaningless statements like, 'We have 
state-of-the-art security,' or, 'We spent four per cent of our overall IT 
budget on security last year' or 'We are substantially modernising our IT 

Blueprints for Attacks 
Are such statements really useful to investors? What is the right amount 
of money to be spent on security? What constitutes security spending? Are 
you spending on the right tools, technologies, and training? Are you truly 
secure? What are the threats and risks to you and your industry? Why have 
you picked that level of security spending? Where do you stand in relation 
to others similarly situated? It's pretty complicated stuff for your 
average investor to take in. Moreover, I would hardly ever expect a 
company to voluntarily disclose that their security is inadequate. 

Alternatively, a company could decide to go the other way and disclose a 
great deal of detail about what it is doing for security. Explain the 
nature and extent of its security technology, give exact dollar figures 
spent on security (both totals and percentages), and explain the new 
security strategy to be rolled out next year. The problem with this 
approach is that, the greater the detail about what you are doing, the 
more you tell potential attackers about what you are not doing. The 
disclosure makes you more vulnerable to attack. 

Companies already have a duty to investors to ensure that they are 
protecting all corporate assets, including information assets. Corporate 
officers, directors, and auditors act as a fiduciary to their shareholders 
to make sure that corporate information assets are available, 
confidential, and reliable. While they are entitled to exercise business 
judgment in deciding how much to spend to protect these assets (and how 
exactly to spend it), they are ultimately responsible to the shareholders 
if this judgment proves unsound. 

Furthermore, new regulations and laws like Sarbannes Oxley and the Gramm 
Leach Bliley Act dictate that companies ensure the confidentiality of 
personal financial information, and the reliability of SEC disclosures. 

I think that's enough. 

Secretary Ridge's theory seems to be that if companies had to tell their 
investors what they were doing about security, they would do more. But 
it's clear that a failure to adequately protect information assets against 
foreseeable threats - whether cyber attacks or a malfunctioning sprinkler 
system - is already material to an investor. Additional disclosures won't 
add anything of value, and could cause some damage. 

Mark D. Rasch, JD, is a former head of the Justice Department's computer 
crime unit, and now serves as Senior Vice President and Chief Security 
Counsel at Solutionary, Inc. 

Copyright ? SecurityFocus
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.