New SEC Guidance Prioritizes Cybersecurity Disclosures for Public Companies

The Case for a Risk-Based Approach

New SEC rulings on cybersecurity disclosures for public companies went into effect just a month ago, acknowledging the rapidly evolving nature of cybersecurity threats and the increasing sophistication of attacks, including the use of stolen credentials, malware, ransomware and phishing. The overwhelming number of corporate breaches can be traced back to the use of stolen credentials or weak passwords combined with inadequate authentication methods. Too many companies still rely on decades-old methods of security, which are insufficient in today’s environment. What does this mean for your organization? Consider a risk-based, layered approach to security. 

Cyberattacks are not going away any time soon and, as a regulator, the U.S. Securities and Exchange Commission clearly understands the impact cybersecurity, or lack thereof, can have on a public company, its employees, customers, shareholders and the stock market in general. On February 26, 2018, the SEC published guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The guidance addresses “the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cybersecurity context.”

In its guidance, the SEC appropriately notes, “hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks.”

Verizon’s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research’s 2017 State of Authentication Report found that a full 100 percent of enterprises continue to use passwords.

GDPR’s Impact on the SEC’s Guidance

The survey results above make me think of the witty definition of insanity: doing the same thing over and over again and expecting different results.  That may be humorous, but when it comes to protecting customer data, it’s not very funny.  The EU’s General Data Protection Regulation (GDPR) is quite clear in that customer data is owned by the citizen and not owned by a public company or any other enterprise.  I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

According to PwC, 92 percent of U.S. multinational companies cited compliance with the EU’s General Data Protection Regulation (GDPR) as a top data protection priority. GDPR takes effect May 25, 2018, and its global reach affects many companies, public and private, worldwide.  ENISA – the European Union Agency for Network and Information Security – released guidelines on how to take the appropriate measures to comply with the GDPR. In the area of access control and authentication, ENISA recommends implementing two-factor authentication in high-risk cases and in certain medium-impact cases, as follows:

“Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics, etc.”

Why Multifactor Authentication Matters

Apart from federal intervention and enforcement, however, cybersecurity starts with identity.  There are secure ways, available today, to verify identities and authenticate individuals accessing sensitive data.

Multifactor authentication (MFA) is an integral part of a risk-based approach to cybersecurity and, amidst the discovery of 1.4 billion stolen clear text credentials, is fully capable of producing enough force to put the final nail in the password coffin.

One could argue that security vendors have achieved, or are very close to achieving, a balance between security and usability. Adoption of FIDO Alliance standards is becoming more mainstream, and biometric-enabled mobile devices have opened the floodgates to innovation. Mobile devices are equipped with a high-quality camera capable of capturing images and video of the user’s face and microphones to leverage voice-recognition technology.  Fingerprints, voice and facial recognition and adaptive authentication are being used across many industries.  As a result, compliance may be just a matter of deploying technology already in use by customers, for internal controls.

The SEC’s guidance states that they “don’t expect public companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.”  The SEC isn’t requiring that every public company deploy MFA.  However, I would be hard pressed to find any company that has followed a risk-based approach and is granting access to customer’s personally identifiable information and corporate assets without MFA.