Cybercrime disclosures rare despite new SEC rule…. But lawmakers plan to change this!| law.com

Cybercrime disclosures rare despite new SEC rule.

In October of 2011, the Securities and Exchange Commission issued a non-mandatory guidance statement on cybersecurity and the reporting of security requirements. Despite this guidance, which was intended to clarify existing reporting requirements for publicly traded companies under Sarbanes-Oxley and other federal privacy laws and regulations, many companies are either not reporting cybersecurity breaches or are skirting the reporting requirements by making very general disclosures which appear designed to minimize or disguise the nature and severity such breaches.

In response to this dearth of meaningful reporting, the Chairman of the Senate Commerce, Scientce and Transportation Committee, Sen. Jay Rockefeller, is seeking to add provisions to cybersecutiy laws that would strengthen and clarify breach-reporting obligations.  Among the results of these changes would be a requirement that the SEC clarify when companies must disclose cyber breached and requiring companies  to spell out the steps they are taking to protect their computer systems from intrusions.

In the wake of such spectacular hacks as the breach of LinkedIn’s site and the repeated intrusions into Wyndam Hotel’s systems (for which the FTC is actively pursuing punitive enforcement against the company), it has become increasingly clear that cyber-crime is a real risk to businesses. In response to the damage that such intrusions does to both investors and end-customers, the government is clearly placing increased pressure on companies to step up and combat this economic threat through implementation of better preventative measures and by disclosing the existence of breaches after the fact, to ensure that system issues within companies’ security are not simply swept under the proverbial rug. Increasingly businesses must make protection of critical infrastructure and its data storage, handling, and destruction key elements in their business planning and implementation, rather than the afterthought if often seems to be.

Advertisements

Hacked companies fight back with controversial steps | Reuters

Hacked companies fight back with controversial steps | Reuters.

This is an interesting, timely, and valuable piece examining how companies are dealing with the growing onslaught of commercial cyber-attacks.

Gone are the days when a company can take for granted that a firewall and updated anti-virus software was enough to keep its data safe.

Increasingly companies are taking more proactive, and even retaliatory, actions to deal with this onslaught.

Needless to say, companies must tread a careful line here, lest they fall victim to liability for their own action.

In any event, this is a good read to stimulate thought about how companies are coping with increasing cyber-security threats. Is your strategy up to the task? It’s a question you cannot afford not to ask yourself!