Interesting news out of an agency we in the security industry don’t think about very much, the SEC (Securities and Exchange Commission). Reuters reports that the SEC is now going to require public companies to disclose in their SEC filings any cyberattacks that may have affected them, and the potential losses as a result of these attacks.
This regulation should have a very interesting side-effect for those of us in the security community. For years, we have tried to quantify the cost of attacks in justifying security purchases. But to date, since companies have been so wary of sharing any information about such attacks, data has been somewhat limited.
The Ponemon Institute’s report in 2010 Annual Study: Global Cost of a Data Breach stated that the average organizational cost of a breach across the globe was $4 million, up 18% from 2009. Globally, data breaches cost an average of $156 per record while in the United States, the costs were significantly higher at $214 per compromised record. The study examined the actual breach data from 154 global companies across 17 industry sectors. The report states that organizations appear to be taking their “stewardship of sensitive personal data seriously” and are increasing measures to protect against breaches “by implementing data protection best practices and technologies.” The costs of a breach considered in the report include everything from PR response, software remediation, consulting costs, forensics, customer communications and more.
I’m willing to bet that the new numbers that we see out of these companies, about the cost of an attack, is going to far exceed what even we have been speculating for the past few years. As criminals become more sophisticated, as systems and applications become more intertwined and accessible, they continue to be ripe for the picking.
And for public companies, they now face not only the cost of the breach and the cost of repairing their customer trust, but also the cost of shareholder nervousness or disenchantment over their security practices and breaches.
Security is now becoming the domain of not just the CSO or the CIO. With the new SEC rules, the CEO and the board of every public company will have a vested stake in ensuring the security of their systems, if they want to keep their job, and keep their shareholders happy. And that’s a good thing for us as consumers.