More By This Author

Current Issue

Current Issue

Posted: September 11, 2012

When company data gets stolen…

What are you required to report?

Dirk Anderson

Every year, cyber-criminals steal billions of dollars worth of data from large and small U.S. companies. The sort of data that thieves are looking to steal include credit card data, patient data, personal financial data and personally identifiable data, such as tax data, credit reports and background checks.  This type of data is all the more vulnerable as changing business environments, such as mobile payments and cloud services, become mainstream.

Most companies are woefully unprepared for a data breach, and many investors are typically not informed when a data breach occurs. The Ponemon Institute has found that the average cost of a data breach costs a company between $5 million and $8 million, which can easily sink a smaller business.

In October 2011, the Securities and Exchange Commission (SEC) issued new guidelines governing data breach disclosure in an effort to promote transparency for company executives and investors. Stakeholders need to know if a data breach occurs and what the financial ramifications will be for the company. In the past, companies have not wanted to report data breaches because they did not want any security failures to be publicly known. Now that has all changed---if companies do not report data breaches to the SEC, they will face sanctions and potential lawsuits.

If a data breach occurs, what are companies required to disclose?

  1. Disclosure that a data breach has occurred with “material impact.” This would include the financial statement impact of the breach and who was affected by the breach.
  2. Risk Factors. These would include:
    1. Inherent risk due to nature of specific business environment (not general or generic risks) including outsourced functions
    2. Likelihood of past incident predicting future events
    3. Regulatory requirements and potential penalties
    4. Summary of relevant insurance coverage

In order to mitigate the risks associated with data breaches, CEOs must have a clear understanding of where their most sensitive data is located on their IT systems or with third parties and what security methods are in place.  Protecting critical infrastructure requires companies to integrate cyber risk into an enterprise risk management program, establish controls to identify future risks and potential data breaches and more actively participate in the cyber security community.  Using more vigilance and transparency, organizations will be able to rest easier knowing that they have a more clear understanding of how to protect sensitive data from cyberattacks.

Dirk Anderson is a managing director at Coalfire. He has more than 15 years of experience in the field of information technology, which has provided him with extensive knowledge in the development of policy and awareness programs for multi-national corporations where he has held the positions of practice lead/senior analyst, chief security architect, senior manager global security architecture, and manager of information security and Internet systems. Anderson’s breadth of experience also extends to multi-national retailers, banking, telecommunications, investment, energy, manufacturing, and governmental organizations. Contact him at dirk.anderson@coalfire.com.

 

 

Enjoy this article? Sign up to get ColoradoBiz Exclusives. The opinions expressed in this article are solely that of the author and do not represent ColoradoBiz magazine. Comments on articles will be removed if they include personal attacks.

Readers Respond

Commenting is not available in this channel entry.

ColoradoBiz TV

Loading the player ...

Featured Video