Commenting on this week’s updated guidance from the SEC on how public companies should disclose cyber security risks and breaches, IT security experts commented below.
Willy Leichter, VP of Marketing at Virsec:
“The new SEC guidance on cybersecurity is a step in the right direction but is pretty lacking in specifics.
Requiring disclosure of cyber security gaps that may not yet have been exploited is important, as it barring insider trading on non-public knowledge of a breach. However, recommending “timely” notification of breaches is far too vague. Was Equifax’s months-long gap in public disclosure timely?
It’s also surprising that the word “privacy” does not appear anywhere in the document. Granted, data privacy may not be in the SEC’s purview, but these incidents most commonly involve breaches of customer data and ensuing loss of privacy, confidence and customer trust.”
Ashley Stephenson, CEO at Corero Network Security:
“It will no longer be sufficient for companies to simply acknowledge the potential risk of a future DDoS attack. The SEC has provided guidance that disclosure should also assess the consequences of the DDoS incident. This welcome clarification will lead to a better understanding of the true costs of DDoS attacks and, by association, the benefits of proactively protecting against this type of cyber threat. We believe investors will reward companies that take an aggressive approach to protecting their online presence and enterprise reputation against DDoS.
“In our experience many DDoS attacks go undetected on unprotected networks and, as a consequence, un-disclosed. Given the prevalence of DDoS attacks, it is unlikely that the defence of “plausible deniability prior to the first disclosable attack” will be tolerated by the SEC (and other regulators) for very long. Best practice must be based on proactive, always-on defences.”