The punishment should fit the crime, but what about when it comes to victims? Should they be punished for crimes committed against them? What if their lackadaisical approach to compliance were to blame?
The U.S. Securities and Exchange Commission recently revealed that nine public companies had wired nearly $100 million to cybercriminals who pulled off successful impersonation scams. Those money transfers could have violated accounting rules that require firms to keep assets safe, but the SEC felt that the dual stings of financial loss and embarrassment were enough punishment.
The hackers impersonated vendors and corporate executives via email. The SEC reported that one company (none of the nine was disclosed) made 14 wire payments — to the tune of $45 million in losses.
“Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies,” said SEC Chairman Jay Clayton. “Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”
This news comes on the heels of SEC Commissioner Robert Jackson Jr. raising red flags during a speech on cybersecurity in Washington, D.C., in June (Clayton had discussed similar concerns about transparency before a congressional panel that same day).
Cybersecurity and transparency are not new problems. However, the SEC and others are increasingly treating these issues as investor concerns, which is appropriate. After all, cyberattacks and data breaches can lead to falling stock prices, causing investors to also become victims.
As the definition of cyber victims expands, data laws are being reconsidered. For instance, under current law a company would have to disclose the loss of personal data but not the loss of intellectual property. The number of victims may be smaller, but the loss of IP is likely to hurt financials — which means it’s likely to hurt investors as well. In the pharmaceutical industry alone, corporate espionage costs $600 billion annually. It’s not surprising that the SEC is starting to take these issues seriously.
Unpacking the SEC’s Statements
The comments from SEC leaders suggest that stricter data protection and privacy rules are coming down the pipeline, but if and when they will appear remains to be seen. However, businesses don’t have to wait until their hands are forced but instead can make investments that both better prepare them for future regulations and strengthen their companies for investors.
First and foremost, capturing and storing any and all communications related to a data breach will likely become mandated. “All communication” would likely include emails and documents, as well as texts, chats, video conferences, and other digital channels. In the wake of a breach, companies will be required to turn over this information both quickly and completely, which is not easy to do with an incomplete archive.
Regulators are also likely to require cybersecurity standards for every public company. Companies probably have some protections in place already, but they may not be as broad or as deep as the SEC requires once formal rules are completed. Sensitive communication channels like email that are targeted by attackers will be a particular priority.
The business case already exists for stronger cybersecurity and greater transparency. What is changing is regulators’ unwillingness to accept lax standards and vague protections. Taking these issues seriously is very quickly evolving from an option into an obligation — one that might bring fines and penalties for failure.
Staying Ahead of the SEC
Companies will obviously need to reevaluate and reinvest in their cybersecurity strategies to keep regulators, investors, and consumers all happy. We won’t know what specific changes must be made until the SEC acts, but that doesn’t mean companies can’t begin planning now. To that end, start with these strategies for staying compliant (no matter what form compliance takes):
• Err on the Side of Caution. The more business communications you archive, the better. It’s impossible to predict what course the electronic discovery process will take. Make plans to archive as many of your communications as possible and across all the media channels your company uses, from email and social to IM and collaboration tools. To keep this process running efficiently and consistently, ensure that archiving is automated when available.
• Guard Data From All Angles. It’s easy to assume cybersecurity is all about inbound attacks, but data is valuable and vulnerable no matter where it’s located. To keep it safe, companies should also protect data that is leaving the organization in order to ensure that the sender and recipient are authorized to access the data and that the data is protected from unauthorized access. Implement a strategy that considers all points of data loss and adopts protections to fit your organization’s needs.
• Make Security Second Nature. If cybersecurity tools are confusing or time-consuming to use, people will just find workarounds, which could sabotage the entire compliance effort. Implementing tools that effortlessly and intuitively apply security measures ensures that your compliance strategy is not self-defeating.
The SEC’s attitude is crystal clear: Data protection is the most important issue of our day, and regulators are long overdue to act. What’s important is that companies read the writing on the wall, take it seriously, and make investments that benefit them now and in the future.
Dena Bauckman is VP of Product Management for Zix and has worked with Zix for 13 years. She has more than 20 years of experience in product management and product marketing and has been CISSP-certified since 2007.