Sunday, March 7, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

New SEC Guidance Prioritizes Cybersecurity Disclosures for Public Companies

by Michael Magrath
April 6, 2018
in Data Privacy, Featured
biometric screening of a thumbprint

The Case for a Risk-Based Approach

New SEC rulings on cybersecurity disclosures for public companies went into effect just a month ago, acknowledging the rapidly evolving nature of cybersecurity threats and the increasing sophistication of attacks, including the use of stolen credentials, malware, ransomware and phishing. The overwhelming number of corporate breaches can be traced back to the use of stolen credentials or weak passwords combined with inadequate authentication methods. Too many companies still rely on decades-old methods of security, which are insufficient in today’s environment. What does this mean for your organization? Consider a risk-based, layered approach to security. 

Cyberattacks are not going away any time soon and, as a regulator, the U.S. Securities and Exchange Commission clearly understands the impact cybersecurity, or lack thereof, can have on a public company, its employees, customers, shareholders and the stock market in general. On February 26, 2018, the SEC published guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The guidance addresses “the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cybersecurity context.”

In its guidance, the SEC appropriately notes, “hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks.”

Verizon’s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research’s 2017 State of Authentication Report found that a full 100 percent of enterprises continue to use passwords.

GDPR’s Impact on the SEC’s Guidance

The survey results above make me think of the witty definition of insanity: doing the same thing over and over again and expecting different results.  That may be humorous, but when it comes to protecting customer data, it’s not very funny.  The EU’s General Data Protection Regulation (GDPR) is quite clear in that customer data is owned by the citizen and not owned by a public company or any other enterprise.  I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

According to PwC, 92 percent of U.S. multinational companies cited compliance with the EU’s General Data Protection Regulation (GDPR) as a top data protection priority. GDPR takes effect May 25, 2018, and its global reach affects many companies, public and private, worldwide.  ENISA – the European Union Agency for Network and Information Security – released guidelines on how to take the appropriate measures to comply with the GDPR. In the area of access control and authentication, ENISA recommends implementing two-factor authentication in high-risk cases and in certain medium-impact cases, as follows:

“Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics, etc.”

Why Multifactor Authentication Matters

Apart from federal intervention and enforcement, however, cybersecurity starts with identity.  There are secure ways, available today, to verify identities and authenticate individuals accessing sensitive data.

Multifactor authentication (MFA) is an integral part of a risk-based approach to cybersecurity and, amidst the discovery of 1.4 billion stolen clear text credentials, is fully capable of producing enough force to put the final nail in the password coffin.

One could argue that security vendors have achieved, or are very close to achieving, a balance between security and usability. Adoption of FIDO Alliance standards is becoming more mainstream, and biometric-enabled mobile devices have opened the floodgates to innovation. Mobile devices are equipped with a high-quality camera capable of capturing images and video of the user’s face and microphones to leverage voice-recognition technology.  Fingerprints, voice and facial recognition and adaptive authentication are being used across many industries.  As a result, compliance may be just a matter of deploying technology already in use by customers, for internal controls.

The SEC’s guidance states that they “don’t expect public companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.”  The SEC isn’t requiring that every public company deploy MFA.  However, I would be hard pressed to find any company that has followed a risk-based approach and is granting access to customer’s personally identifiable information and corporate assets without MFA.


Tags: data breachGDPRSEC
Previous Post

Protiviti and ISACA: IT Audit Benchmarking Survey

Next Post

5 Predictions About Blockchain and Compliance

Michael Magrath

Michael Magrath is Director of Global Standards and Regulations at OneSpan and responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).  He also served as a member of the Board of Directors for the Identity Ecosystem Steering Group’s (IDESG) and was Chair of the Health Information Management Systems Society (HIMSS) Identity Management Task Force. Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS). Before DrFirst, Mike lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition. He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a “Health Security Card” to identify and expeditiously treat victims in the event of a disaster. Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst.  He is married with three children and resides in Northern Virginia.

Related Posts

green and red location markers on map

FinCEN’s Registry Will Be a Game-Changer. It Will Also Place an Added Burden on Corporations.

March 5, 2021
illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
Next Post
concept of blockchain on purple and red background

5 Predictions About Blockchain and Compliance

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights