Tag Archives: SEC

Companies fear reputation for bad security

As more companies come out of the closet about their Internet security being compromised, still more start to admit it. But many (perhaps most) don’t even know. Fortunately, there is a way the public can get a clue even about those companies.

Nicole Perlroth wrote for the NYTimes 20 February 2013 that corporations try to hide successful cracking of their Internet security:

Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.

However, as some companies come out of the closet about this (Twitter, Facebook, Apple, etc.) and such

revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.

“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”

Now here’s the interesting part:

Continue reading

Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26: Continue reading

SEC moving towards breach disclosure requirement?

The 13 October 2011 SEC guidance, CF Disclosure Guidance: Topic No. 2: Cybersecurity, leaves most of the decision of what sort of breaches are significant enough to disclose up to the affected organizations. But look at this:

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship.
Hm, incentives like showing an improved reputational risk ranking?

Perhaps in order to prevent this sort of thing?

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.
The SEC is still missing at least one connection between dots:

Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.
Sure, infosec costs money. But if infosec actually prevents loss of customer goodwill, infosec could attract and retain customers, so infosec could be a source of profit. If anybody knows about it, that is.

-jsq

Coal company reputation

Good news from the SEC for a change! They’re requiring coal plant operators to report health and safety violations, including fatalities, within a few days of occurence.

FuelFix posted from AP on 23 December 2011, SEC requiring coal firms to report safety problems

Earlier this week, the SEC announced new rules that require mining companies to start reporting any fatalities and all major health and safety violations, mine by mine, in their quarterly and annual financial reports. The filings are mandated in the wide-ranging Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed to try to increase corporate accountability.

The rules take effect 30 days after publication in the Federal Register. They require companies to report within four days any “significant and substantial” violations, citations, flagrant violations and imminent-danger orders issued by the federal Mine Safety and Health Administration.

Coal operators must also include the dollar value of proposed fines, whether the company has been or may be designated a pattern violator by MSHA, and any pending cases with the Federal Mine Safety and Health Review Commission.

What problem does this reporting solve? As the article points out: Continue reading