biometric screening of a thumbprint

The Case for a Risk-Based Approach

New SEC rulings on cybersecurity disclosures for public companies went into effect just a month ago, acknowledging the rapidly evolving nature of cybersecurity threats and the increasing sophistication of attacks, including the use of stolen credentials, malware, ransomware and phishing. The overwhelming number of corporate breaches can be traced back to the use of stolen credentials or weak passwords combined with inadequate authentication methods. Too many companies still rely on decades-old methods of security, which are insufficient in today’s environment. What does this mean for your organization? Consider a risk-based, layered approach to security. 

Cyberattacks are not going away any time soon and, as a regulator, the U.S. Securities and Exchange Commission clearly understands the impact cybersecurity, or lack thereof, can have on a public company, its employees, customers, shareholders and the stock market in general. On February 26, 2018, the SEC published guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The guidance addresses “the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cybersecurity context.”

In its guidance, the SEC appropriately notes, “hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks.”

Verizon’s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research’s 2017 State of Authentication Report found that a full 100 percent of enterprises continue to use passwords.

GDPR’s Impact on the SEC’s Guidance

The survey results above make me think of the witty definition of insanity: doing the same thing over and over again and expecting different results.  That may be humorous, but when it comes to protecting customer data, it’s not very funny.  The EU’s General Data Protection Regulation (GDPR) is quite clear in that customer data is owned by the citizen and not owned by a public company or any other enterprise.  I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

According to PwC, 92 percent of U.S. multinational companies cited compliance with the EU’s General Data Protection Regulation (GDPR) as a top data protection priority. GDPR takes effect May 25, 2018, and its global reach affects many companies, public and private, worldwide.  ENISA – the European Union Agency for Network and Information Security – released guidelines on how to take the appropriate measures to comply with the GDPR. In the area of access control and authentication, ENISA recommends implementing two-factor authentication in high-risk cases and in certain medium-impact cases, as follows:

“Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics, etc.”

Why Multifactor Authentication Matters

Apart from federal intervention and enforcement, however, cybersecurity starts with identity.  There are secure ways, available today, to verify identities and authenticate individuals accessing sensitive data.

Multifactor authentication (MFA) is an integral part of a risk-based approach to cybersecurity and, amidst the discovery of 1.4 billion stolen clear text credentials, is fully capable of producing enough force to put the final nail in the password coffin.

One could argue that security vendors have achieved, or are very close to achieving, a balance between security and usability. Adoption of FIDO Alliance standards is becoming more mainstream, and biometric-enabled mobile devices have opened the floodgates to innovation. Mobile devices are equipped with a high-quality camera capable of capturing images and video of the user’s face and microphones to leverage voice-recognition technology.  Fingerprints, voice and facial recognition and adaptive authentication are being used across many industries.  As a result, compliance may be just a matter of deploying technology already in use by customers, for internal controls.

The SEC’s guidance states that they “don’t expect public companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.”  The SEC isn’t requiring that every public company deploy MFA.  However, I would be hard pressed to find any company that has followed a risk-based approach and is granting access to customer’s personally identifiable information and corporate assets without MFA.

Create your Terms and Conditions agreement


Michael Magrath

Mike Magrath is a member of the FIDO Alliance’s Privacy and Public Policy Working Group, the Biometrics Institute’s Privacy and Policy Expert Group and the Identity Ecosystem Steering Group’s (IDESG) Board of Directors. The IDESG is a voluntary, public-private partnership built around the National Strategy for Trusted Identities in Cyberspace (NSTIC) and is the only independent body dedicated to redefining how people and organizations identify themselves online, by fostering the creation of privacy-enhancing trusted digital identities. He also served as Chairman of the Health Information Management Systems Society (HIMSS) Identity Management Task Force in 2016 to 2017. The Task Force represented HIMSS’ membership with regard to national and industry initiatives on identity management, such as the NSTIC and the IDESG and other national policy and technical efforts.

Mike is currently Director, Global Regulations & Standards at  OneSpan. Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).  Mike previously lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition.

He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a “Health Security Card” to identify and expeditiously treat victims in the event of a disaster.

Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst. He is married with three children and resides in Northern Virginia.

Related Post