The impact of security breaches on Sony Corporation’s stock price has stimulated discussion as to the review of corporate security incidents in the investment decision process. In response to this incident and others like it, the Securities and Exchange Commission (SEC) has released guidance for the disclosure of security incident risk in corporate investor communications.
This guidance is designed to “elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision,” including those related to information security breaches. Such disclosures are justified by existing SEC regulations that require companies to disclose information on the company, the securities discussed in the prospectus, company management, and the financial statement. These may include the following:
- Business and operational details associated with identified risks and potential impact of incidents.
- A summary of the company’s risk management approach and incident response plan.
This guidance encourages organizations to evaluate the extent to which their operations may be impacted by a compromised information assurance (IA) function or a breach of information security. Companies will need to perform a risk assessment of the systems that support their products/services. This assessment should consider incident history to determine trends that may impact their exposure to future incidents. Additionally, the efficacy of their risk management investments should be examined. This analysis should include any service providers that impact the subject of the investment.
The role of the IA team rarely gets press or impacts the perception of a company’s brand until an incident occurs. It is often seen as a cost center necessary to secure corporate and customer information, not as a contributor to its value proposition. The creation of a comprehensive prospectus is an opportunity for the IA function and the business stakeholders to communicate effectively. The business team must describe the value they deliver to their target market. The IA team must describe how their knowledge and experience supports this mission. This team will be challenged to frame the technical details of an incident in the context of operational and strategic business impact. Their recommendations must supply business leaders with compelling metrics that support post-breach control investments.
Implementation of an organizational Computer Incident Response Team is the cornerstone of a consistent, managed, measured reaction to a security breach. I urge companies to staff this team with representatives from all business units that have a stake in incident management. At minimum it should include a representative from the legal department, a communications officer, a manager empowered to make decisions on behalf of the company, and the IT incident response manager. This team should be focused on responding to attacks on company assets and by extension its brand.
We can no longer afford the cultural schism between the server room and the boardroom. Cyber miscreants attack both camps with increasing sophistication, waiting for the proverbial house to fall. Some of these techniques have been mentioned on the @McAfeeBusiness feed and discussed on the Security Connected blog. The SEC has made the clarion call for us to band together to frustrate the attackers while validating the trust placed on us by investors. Will you heed the call?The opinions expressed in this blog are those of the author and do not necessarily reflect the views of McAfee, Inc. This blog is for general information purposes and is not intended to be and should not be taken as legal advice.