It’s a wonder why you don’t find just about every Chief Information Officer (CIO) sitting under their desk considering the large and growing number of security breaches that are costing their organizations dearly. If it’s not bad enough that they must fend off hackers and other external threats, CIOs also feel besieged by regulatory entities that are flexing their muscles to protect the interests of consumers, investors, and other constituents. Audit Committees and Chief Financial Officers (CFOs) are getting involved in the discussion too. Board members and executives need to better understand how the FTC, SEC, the accounting profession, and various standards bodies are trying to get organizations to raise their game when it comes to cybersecurity practices.
Federal Trade Commission (FTC)
The FTC has long asserted its interest in holding companies accountable for failing to safeguard consumer data. On June 26, 2012, the FTC filed a complaint against Wyndham Worldwide Corporation for failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information, and failure to maintain reasonable security against unauthorized access to their networks, which led to three data breaches and harm to their customers. Wyndham challenged the FTC’s right to pursue these claims, arguing, among other things, that the agency was overreaching by trying to hold businesses rather than hackers responsible. On August 24, 2015, the U.S. Court of Appeals for the Third Circuit reaffirmed a previous court ruling that the FTC should proceed.
In the absence of any comprehensive legislation covering data security, it is not surprising that the FTC should fill this regulatory vacuum. Organizations should think harder about how they can improve their security posture rather than resist external regulatory efforts to achieve the same result. The FTC is even reasonably prescriptive in describing on its website the steps it feels organizations should take to improve their defenses. There are also frameworks to follow that have been developed by various standards bodies, including those provided by National Institute of Standards and Technology (NIST), ISACA (Control Objectives for Information and Related Technology or COBIT), International Organization for Standardization (ISO), and Committee of Sponsoring Organizations of the Treadway Commission (COSO).
U.S. Securities and Exchange Commission (SEC)
A key part of the SEC’s mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. It seeks to ensure that investors are provided with material information in order to make informed investment decisions. Current SEC guidance to public companies on cybersecurity disclosure dates to October 2011, and the growing frequency and magnitude of cyber-incidents has caused some political leaders to urge the SEC to do even more.
Clearer rules around disclosure of security breaches (not to mention better practices) could possibly reduce the amount of litigation that follows such events. For example, on August 18, 2015, Web.com announced in a press release that it had discovered an unauthorized breach of a computer system five days earlier, compromising the credit card information of approximately 93,000 customers. The company said that it planned to offer the affected customers a year’s worth of credit monitoring protection. However, its shareholders experienced a 10.5% decline in the share price by the end of the day of announcement, precipitating numerous lawsuits. Investors will demand greater transparency regarding companies’ cybersecurity practices and more consistently applied standards for the disclosure of incidences.
After 20 years, the internal control framework that is a cornerstone of Sarbanes-Oxley was recently updated by the Committee of Sponsoring Organizations (COSO) to put an emphasis on controls around technology. Think of COSO as something akin to the high priests of accounting. Technology is embedded in everything people and businesses do, so the update motivates Boards, CFOs, CIOs, Generals Counsel and Enterprise Risk Managers, as well as external auditors, to reassess the associated risks and opportunities. Having studied the state of IT housekeeping at Fortune 500 companies, it is clear that there is significant room for improvement virtually everywhere. Considering the potential criminal liability that CEOs and CFOs confront when they sign their company’s §404 and §302 certifications, and growing SEC interest in the integrity of internal controls, there is good reason to get one’s technology house in much better order.
The new normal on cybersecurity is being shaped by not just by the growing sophistication and prevalence of hackers, but by the regulatory entities that are pulling organizations to a higher standard. This is not a time for Boards and executives to fight city hall, but to find ways to exceed their expectations.