Posted: September 11, 2012
When company data gets stolen…
What are you required to report?Dirk Anderson
Every year, cyber-criminals steal billions of dollars worth of data from large and small U.S. companies. The sort of data that thieves are looking to steal include credit card data, patient data, personal financial data and personally identifiable data, such as tax data, credit reports and background checks. This type of data is all the more vulnerable as changing business environments, such as mobile payments and cloud services, become mainstream.
Most companies are woefully unprepared for a data breach, and many investors are typically not informed when a data breach occurs. The Ponemon Institute has found that the average cost of a data breach costs a company between $5 million and $8 million, which can easily sink a smaller business.
In October 2011, the Securities and Exchange Commission (SEC) issued new guidelines governing data breach disclosure in an effort to promote transparency for company executives and investors. Stakeholders need to know if a data breach occurs and what the financial ramifications will be for the company. In the past, companies have not wanted to report data breaches because they did not want any security failures to be publicly known. Now that has all changed---if companies do not report data breaches to the SEC, they will face sanctions and potential lawsuits.
If a data breach occurs, what are companies required to disclose?
- Disclosure that a data breach has occurred with “material impact.” This would include the financial statement impact of the breach and who was affected by the breach.
Risk Factors. These would include:
- Inherent risk due to nature of specific business environment (not general or generic risks) including outsourced functions
- Likelihood of past incident predicting future events
- Regulatory requirements and potential penalties
- Summary of relevant insurance coverage
In order to mitigate the risks associated with data breaches, CEOs must have a clear understanding of where their most sensitive data is located on their IT systems or with third parties and what security methods are in place. Protecting critical infrastructure requires companies to integrate cyber risk into an enterprise risk management program, establish controls to identify future risks and potential data breaches and more actively participate in the cyber security community. Using more vigilance and transparency, organizations will be able to rest easier knowing that they have a more clear understanding of how to protect sensitive data from cyberattacks.
Dirk Anderson is a managing director at Coalfire. He has more than 15 years of experience in the field of information technology, which has provided him with extensive knowledge in the development of policy and awareness programs for multi-national corporations where he has held the positions of practice lead/senior analyst, chief security architect, senior manager global security architecture, and manager of information security and Internet systems. Anderson’s breadth of experience also extends to multi-national retailers, banking, telecommunications, investment, energy, manufacturing, and governmental organizations. Contact him at firstname.lastname@example.org.