Jun 14, 2018 3:17:40 PM
The SEC on Why You Can’t Afford to Dismiss Cyber Security

There are clear parallels between home ownership and cyber security. Locked windows and doors as well as household alarms have cyber-analogs, of course, and are often used to help illustrate the importance of technologies such as Public Key Infrastructure (PKI), network intelligence and the like. But the state of a house’s surrounding environment and the threat it might pose to its owners aren’t typically part of the analogy. They should be. A Wi-Fi-connected home alarm isn’t effective against a burglar if the power is down — or if the home network is down.

The same general principle applies to public companies. It is possible that a company looks great on paper to investors. Perhaps they have developed a promising new technology and have had impressive revenue growth in the past 12 months. But maybe they are terrible at cyber security and have inadvertently leaked their most valuable intellectual property to a company halfway across the world, which is cloning their product. Alternatively, perhaps cyber criminals have managed to take control of a manufacturer’s industrial control systems, resulting in unscheduled downtime or safety problems.

In our connected world, many investors continue to look to invest in companies with solid financials but give little thought to their cyber security maturity. Public companies’ cyber security posture can contribute to stock volatility. A severe breach can trim 1.8 percent off of a company’s permanent stock valuation, according to an analysis from CGI Group. Even the prospect of unauthorized data use can have severe consequences, as it did recently with Facebook, which saw its stock fall from in $185 per share in on March 16 to $153 per share by March 28. Equifax saw its stock fall even more spectacularly last year when revealed that more than 140 million Americans were victims of a cyber security breach, falling some 35 percent from $141 per share on September 6 to $93 on September 15. The stock has still not recovered.

It’s easy to understand why the SEC released its cyber security guidance earlier this year, the first time it has done so since 2011. On the one hand, networking and data management technology are as vital now to modern business as electricity was in the previous century. On the other, it continues to remain difficult for investors to make informed decisions in evaluating companies given that a single breach could have long-term implications for public companies. Frequently, many companies continue to hide or diminish the importance of cyber security.

In our connected world, hackers have a myriad of potential targets that could spell trouble for individual companies or collectively. As SEC explains in its new guidance: “Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the U.S. economy depend on the security and reliability of information and communications technology, systems, and networks.” What’s more, the list of threat actors to worry about is long. In addition to black hat hackers looking to make a buck, SEC warns of nation-states, hacktivists and even competitors as perpetrating attacks against public companies.

Hackers could, for instance, set their sights on the automated systems used by quant funds such as BlackRock. DARPA is working to help bolster the defenses of these systems as they worry that hackers could attack the integrity of financial infrastructure by pumping false information into stock databases or modifying trading algorithms.

While such scenarios may seem theoretical, the risk of such attacks is growing. Hackers are already having a deleterious effect on the stocks of well-known companies and, in some cases, SEC is taking enforcement action against them. The most recent example of this comes courtesy of Yahoo, whose holding company Altaba was recently hit with a $35 million fine. Yahoo had failed to divulge to investors that it had been hacked in 2014 until two years later.

The SEC’s most recent guidance addresses such delays and provides guidance for the timely disclosure of cyber breaches. It focuses less on cyber security strategy or providing concrete recommendations for measures public companies should take to protect themselves.

Ultimately, however, cyber risks are growing in volume and type. Cyber criminals can now negatively impact public companies by third-parties that do business with them. Examples of this principle include the 2013 Target hack by way of an HVAC vendor and the Mirai-botnet-based Dyn attack in 2016, which disrupted internet availability for well-known companies such as Amazon, Spotify and Netflix.

But the Internet of Things (IoT) also opens up an array of new cyber risks. Hackers targeting industrial facilities could  injure or even kill workers — a prospect that could damage a company’s reputation and saddle it with lawsuits. Returning to the home example at the beginning of this post, what might happen to the stock of tech behemoths if hackers, say, managed to gain access to smart speakers, snooping on millions of people? Or what might happen to the stock of a maker of Wi-Fi connected smoke alarms if hackers managed to disable those devices without their owners’ knowledge, and several saw their houses burn down? The variety of possible cyber attacks has never been greater.

White Paper: IoT Security for the Future

In any case, public companies certainly have their work cut out for them in understanding security vulnerabilities as they evolve, while also determining how much information to share with SEC. The regulatory agency itself states that it does not intend for companies to overshare. It states that it is not necessary for companies to provide it with “detailed disclosures that could compromise its cyber security efforts – for example, by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.’” Yet in order for public companies to maintain the confidence of investors, it is vital that they have such a roadmap and that they be honest and forthright in sharing an overview of relevant cyber-vulnerabilities and breaches. As Franklin D. Roosevelt said in 1933: “Confidence... thrives on honesty, on honor, on the sacredness of obligations, on faithful protection and on unselfish performance. Without them, it cannot live.”