“A lack of transparency results in distrust and a deep sense of insecurity.”
– Dalai Lama
The above quote has never been truer than it is in today’s security and privacy environments. There have been too many breaches to mention, but one common theme is that they affect all shareholders to varying degrees. Unfortunately, I’ve been the recipient of a few emails from establishments informing me that a breach occurred. They apologize and say that I will be receiving one—or, if I’m lucky (sarcasm laid on thick)—two years of free credit monitoring. This, folks, is another way of saying, “You can see if someone is using your credentials to impersonate you and affect your credit.” We have accepted this as a normal part of the world we currently live in, where cybercrime is a very big and very successful business. However, an even bigger danger is the lack of transparency about the risk processes that companies have in place to keep our data secure and private.
Many client-affecting breaches could have been avoided with basic cyber security hygiene. Oftentimes, companies fail to properly communicate with shareholders about the preventative measures and recovery programs they’ve employed. In one case, an organization knew there were issues with its security environment but never addressed or communicated these possible risks to their internal or external shareholders. In another instance, a cyberattack occurred due to poor privacy risk mitigation techniques, and even worse, the CISO concealed the breach rather than reporting it to the appropriate authorities.
The common theme? Many companies are ill-prepared to address risk management and incident response within their own ecosystem. In July of this year, the Security Exchange Commission (SEC) stated that it would require all publicly traded companies to practice more security “due diligence” and become more transparent with their shareholders on security matters. This would help to ensure that companies disclosed material cyber security information to investors, other companies, and the markets connecting them. The SEC stated that organizations would have four days to report incidents that were client-affecting and material to business continuity. It would also require organizations to inform the public about the following:
- The processes for assessing, identifying, and managing risks from cyber security threats
- A description of the board of director’s oversight of risks from cyber security threats and management’s role and expertise in assessing and managing possible risks
- Their incident response plans, encompassing company-specific threat scenarios
To illustrate the seriousness of this new initiative, the SEC has charged an organization and its CISO with fraud and internal control failures relating to allegedly known cyber security risks and vulnerabilities. Despite knowing that an attack was underway for over a year, the company failed to communicate to the public about the attack or measures being taken to mitigate further risk to the company.
At C1, we have been advising clients on the most effective way to provide both internal and external parties with clarity on their cyber security methods. We have created multiple programs wrapped around risk management and incident response plans that reflect each client’s current risk exposure and acceptance. By communicating effectively these programs, organizations can illustrate that due diligence is being followed and that a true governance, risk and compliance (GRC) environment has been achieved.
Our goal is to help clients elevate their security posture and risk management capabilities, with the ability to be fully transparent to their stakeholders and lessen any surprises that affect business continuity, thereby fostering greater customer confidence.