Sunday, December 15, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

New SEC Guidance Prioritizes Cybersecurity Disclosures for Public Companies

by Michael Magrath
April 6, 2018
in Data Privacy, Featured
biometric screening of a thumbprint

The Case for a Risk-Based Approach

New SEC rulings on cybersecurity disclosures for public companies went into effect just a month ago, acknowledging the rapidly evolving nature of cybersecurity threats and the increasing sophistication of attacks, including the use of stolen credentials, malware, ransomware and phishing. The overwhelming number of corporate breaches can be traced back to the use of stolen credentials or weak passwords combined with inadequate authentication methods. Too many companies still rely on decades-old methods of security, which are insufficient in today’s environment. What does this mean for your organization? Consider a risk-based, layered approach to security. 

Cyberattacks are not going away any time soon and, as a regulator, the U.S. Securities and Exchange Commission clearly understands the impact cybersecurity, or lack thereof, can have on a public company, its employees, customers, shareholders and the stock market in general. On February 26, 2018, the SEC published guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The guidance addresses “the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cybersecurity context.”

In its guidance, the SEC appropriately notes, “hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks.”

Verizon’s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research’s 2017 State of Authentication Report found that a full 100 percent of enterprises continue to use passwords.

GDPR’s Impact on the SEC’s Guidance

The survey results above make me think of the witty definition of insanity: doing the same thing over and over again and expecting different results.  That may be humorous, but when it comes to protecting customer data, it’s not very funny.  The EU’s General Data Protection Regulation (GDPR) is quite clear in that customer data is owned by the citizen and not owned by a public company or any other enterprise.  I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

According to PwC, 92 percent of U.S. multinational companies cited compliance with the EU’s General Data Protection Regulation (GDPR) as a top data protection priority. GDPR takes effect May 25, 2018, and its global reach affects many companies, public and private, worldwide.  ENISA – the European Union Agency for Network and Information Security – released guidelines on how to take the appropriate measures to comply with the GDPR. In the area of access control and authentication, ENISA recommends implementing two-factor authentication in high-risk cases and in certain medium-impact cases, as follows:

“Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics, etc.”

Why Multifactor Authentication Matters

Apart from federal intervention and enforcement, however, cybersecurity starts with identity.  There are secure ways, available today, to verify identities and authenticate individuals accessing sensitive data.

Multifactor authentication (MFA) is an integral part of a risk-based approach to cybersecurity and, amidst the discovery of 1.4 billion stolen clear text credentials, is fully capable of producing enough force to put the final nail in the password coffin.

One could argue that security vendors have achieved, or are very close to achieving, a balance between security and usability. Adoption of FIDO Alliance standards is becoming more mainstream, and biometric-enabled mobile devices have opened the floodgates to innovation. Mobile devices are equipped with a high-quality camera capable of capturing images and video of the user’s face and microphones to leverage voice-recognition technology.  Fingerprints, voice and facial recognition and adaptive authentication are being used across many industries.  As a result, compliance may be just a matter of deploying technology already in use by customers, for internal controls.

The SEC’s guidance states that they “don’t expect public companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.”  The SEC isn’t requiring that every public company deploy MFA.  However, I would be hard pressed to find any company that has followed a risk-based approach and is granting access to customer’s personally identifiable information and corporate assets without MFA.


Tags: data breachGDPRSEC
Previous Post

Protiviti and ISACA: IT Audit Benchmarking Survey

Next Post

5 Predictions About Blockchain and Compliance

Michael Magrath

Michael Magrath is Director of Global Standards and Regulations at OneSpan and responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally.

He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).  He also served as a member of the Board of Directors for the Identity Ecosystem Steering Group’s (IDESG) and was Chair of the Health Information Management Systems Society (HIMSS) Identity Management Task Force.

Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Before DrFirst, Mike lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition.

He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a “Health Security Card” to identify and expeditiously treat victims in the event of a disaster.

Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst.  He is married with three children and resides in Northern Virginia.

Related Posts

change is coming text on city background at sunset

Future-Proofing the Compliance Professional

December 13, 2019
futuristic technology projecting 2020 in white text

The Future of Data Privacy Regulation

December 12, 2019
illustration of businessmen shaking hands through smartphone screens

FINRA Reveals Top Areas of Interest: Supervision and Digital Communications Compliance Programs

December 12, 2019
new york city skyline at sunset

The Early Days: The Birth of the Independent Monitoring Concept

December 11, 2019
Next Post
concept of blockchain on purple and red background

5 Predictions About Blockchain and Compliance

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • John Special, Defendant, and Michael Murphy, Relief Defendant, John Kenneth Davidson December 12, 2019
    SEC Obtains $3 Million Settlement in Insider Trading Action
  • Palm Beach Atlantic Financial Group, LLC and William A. Smith December 11, 2019
    SEC Charges Florida Resident and His Corporate Entity for Fraudulent Securities Offerings
  • Nanotech Engineering, Inc., Michael James Sweaney (also known as Michael Hatton), David Sweaney, and Jeffery Gange December 11, 2019
    SEC Obtains Asset Freeze to Halt Alleged Offering Fraud

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights