Just as individuals and organizations were digesting the implications of the massive Equifax data breach, the Securities and Exchange Commission (SEC) dropped another cyber-bombshell last week, announcing a serious compromise in 2016 of “EDGAR,” the Commission’s system for housing documents filed by publicly traded companies. Just a few days later, global accounting giant Deloitte announced that it, too, had experienced a data breach. It goes without saying that we should expect more and more of these announcements – from organizations large and small, from businesses and government agencies – all underscoring the fact that cyber-based threats continue to evolve at an alarming pace, and no entity is truly immune to these threats.
There is no overstating the irony of the SEC’s announcement, coming against the backdrop of its own increasingly tough cybersecurity requirements. More importantly, this latest development turns a spotlight on the critical question of breach disclosure timing. While many in the security community have criticized Equifax for taking six weeks to disclose its breach, the still emerging facts of the SEC incident suggest that disclosure lagged nearly a year behind the actual breach. That unexplained delay seriously erodes the credibility of regulators as they try to compel timely disclosures by businesses.
The seemingly feverish attempt by regulators to demonstrate to the public that they are moving aggressively to address cyber issues is already raising major concerns. Many would argue that regulators are creating an environment that prioritizes the threat of legal sanctions against public companies for non-compliance over a focus on constructive efforts to improve cyber defenses and properly monitor for existing threats.
For example, major landmark cybersecurity regulation such as New York State’s Department of Financial Services NYCRR Part 500, and the looming European Union’s General Data Protection Regulation, are implementing sweeping changes to the way PII is handled by businesses, combined with the threat of severe financial penalties for non-compliance or mishandling of PII. While some might argue that this type of regulation is long overdue, does it incentivize the type of behavior we want from the private sector? Or is it widening the chasm between public/private collaboration over cyber matters, which the Cybersecurity Information Sharing Act of 2015 or “CISA,” was attempting to mend.
While the recent Equifax and SEC incidents have raised more questions than answers, one thing is clear: individuals, businesses and governments, cannot achieve 100% data security. Arguably, we have reached the point where the digitization of our personal and professional lives has outpaced the capacity of security measures and regulation designed to protect that data. Still, organizations must continue to harden their defenses and test their readiness for major cyber incidents.
Many in the cybersecurity community believe that cyber simulation exercises – better known as “table top exercises”—are among the best tools for businesses to test their readiness. The events of the past two weeks have provided some of the best scenarios for such exercises, and businesses should be closely analyzing some of the behaviors we have observed and questioning whether they would have acted differently. As these episodes continue to develop (or unravel, depending on how you look at it), there are some key questions businesses should consider: