f the SEC requires details on the material loss from cyber-attacks, the actual reporting of such proof is going to be a tall order on a company that’s already strapped for specialized IT security talent and working at fever pitch to manage risk. Until then cyber incidents continue to financially drain private and public companies, IT must clean up the mess and put a lid on it in order to save face with stakeholders.
As corporate data theft continues and investors demand answers, here are recommended actions companies can take now within their IT departments to ensure they are prepared to not only answer to to the SEC and investors, but also better prepared for managing the risks associated with maintaining and relying on global computer networks:
It’s All or Nothing: With today’s emerging technologies such as cloud computing, mobility and virtualization, it’s important to have a complete view of your IT landscape.
Less is More: Those with experience with Sarbanes-Oxley understand that access and entitlements to financial reporting systems is a vital control to exhibit, mainly due to the potential impact of manipulation of those systems.
Most companies that have their data or systems compromised as a result of security incident know full well the costs of repair and remediation; costs of deploying cybersecurity protections (including software like my company develops), litigation costs and the worst: reputational damage to brands and stock price.
While companies are following the guidance, many that have been the targets of these successful attacks have denied any material impact in their SEC filings – the lack of these filings proves that.
Link: http://www.forbes.com/sites/ciocentral/2013/05/15/how-to-prepare-for-when-the-sec-comes-asking-about-cybersecurity-risk/2/