Having been CEO of a public company and now as CEO of a global enterprise software company which provides cyber security and compliance solutions to many public companies, I can attest to the growing complexities and pressures of supply (threats and risk to operations) and demand (regulatory requirements) that must be managed on a daily basis. In his April 9 letter to the SEC Chair, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) urged the SEC to step-up the requirements on its guidance (issued in October 2011) for companies to disclose information about their ability to defend against attacks on their networks. \u201cInvestors deserve to know whether companies are effectively addressing their cyber security risks \u2014 just as investors should know whether companies are managing their financial and operational risks,\u201d the letter said. From this experience I\u2019ve learned that corporate risk is idiosyncratic and varies from company to company, but the SEC looks at it all the same.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
f the SEC requires details on the material loss from cyber-attacks, the actual reporting of such proof is going to be a tall order on a company that\u2019s already strapped for specialized IT security talent and working at fever pitch to manage risk. Until then cyber incidents continue to financially drain private and public companies, IT must clean up the mess and put a lid on it in order to save face with stakeholders.<\/p>\n
As corporate data theft continues and investors demand answers, here are recommended actions companies can take now within their IT departments to ensure they are prepared to not only answer to to the SEC and investors, but also better prepared for managing the risks associated with maintaining and relying on global computer networks:<\/p>\n
It\u2019s All or Nothing: With today\u2019s emerging technologies such as cloud computing, mobility and virtualization, it\u2019s important to have a complete view of your IT landscape.<\/p>\n
Less is More: Those with experience with Sarbanes-Oxley understand that access and entitlements to financial reporting systems is a vital control to exhibit, mainly due to the potential impact of manipulation of those systems.<\/p>\n
Most companies that have their data or systems compromised as a result of security incident know full well the costs of repair and remediation; costs of deploying cybersecurity protections (including software like my company develops), litigation costs and the worst: reputational damage to brands and stock price.<\/p>\n
While companies are following the guidance, many that have been the targets of these successful attacks have denied any material impact in their SEC filings \u2013 the lack of these filings proves that.<\/p>\n