New bill would require public companies to disclose cybersecurity credentials A new bill introduced to Congress on Thursday would require US publicly listed companies to disclose who on their Board has cybersecurity expertise. If it passes, the Cybersecurity Disclosure Act of 2015 would oblige companies to add details of which, if any, of their directors know about online security in filing to the …
"But companies have been reticent, claiming that providing such information could be an invitation for shareholder lawsuits."
If you had invested in Target and found out they cut IT security before the hack you would sue also. Companies don't want to show how much they spend because the cheap bast**ds know they would be making themselves a target.
Let's see, increase security or raise my bonus. Hard One.
"Just 11 per cent of public boards have a "high-level understanding of cybersecurity," according to the National Association of Corporate Directors."
I wonder how the criteria were determined and stats were gathered for that 11% headline figure. I really hate the term cybersecurity. Anyway, why not mandate something like the UK's "Cyber Essentials" as well as getting info on what the Board's understanding of IT is. We (UK) could do with a similar bill, IMNSHO.
So if a corp, subject to this regulation, lodges expertise and knowledge then the scope for claims at court in the event of a slight technical hitch due to haxx0rs will be increased. I suppose the presumption for the bill is that it will help the corp. in some way (financially) by demonstrating expertise and hence investors will come flocking.
For the board members it is a simple risk analysis: I suspect that many corp board members will suddenly develop IT skill amnesia.
While the issue of corporate cyber security is important, I doubt Congress critters collectively have enough grey matter to write plausible, workable law that would actually improve this. I fear a Titanic mentality of meeting the letter of the law but not the intent of the law by companies.
please find enclosed your graduation certificate from the Talk Talk school of management.
(What's that, the envelope was empty? Maybe someone nicked it. Not our fault though - but even though it's definitely not our fault, not not not, here's a free subscription to our postal deliveries monitoring service you don't want anyway, but it's not our fault. )
And now, I'm sure that one of the certification companies is going to come out with a special certification for 'Cyber-security Awareness' so that board members can claim they have cyber security experience and can spout off enough buzzwords to fool investment bankers.
Much like all the Six-sigma certifications that I see incompetent upper management types bandy about.
This post has been deleted by its author
Seems to me that nearly every member of a public company board could certify that they're licensed to drive. Since a demonstrable understanding the basics of computer security (the "cyber" label sounds juvenile to me) would potentially impact the health of the business more than knowing how to parallel park a Land Rover, I'd think that this disclosure requirement shouldn't be a big deal.
In fact, I'd go farther. It's the 21st century. Knowing how the Internet works is at least as important as being able to read a balance sheet (putting aside for a moment anecdotal evidence that many CEOs, even those running banking institutions, have shown signs of not understanding how to read their own company's balance sheets). Given that most board members are or were public company executives, it doesn't seem too much to ask that they be educated in the extremely critical subject of computer security. By "educated" I don't mean some paper certificate earned by attending a day-long seminar. I mean something akin to a cluster of undergraduate or graduate classes covering the subject. In lieu some documented experience in the field would probably be acceptable: say 15-20 years as a senior system or network administrator for a Fortune 200 company...
The subject of the article appears to be S.2410, for which text is not yet available, so we have only the postings of Senator Reed and news reports like this one that presumably are based upon it.
Whether a corporation director has any technical knowledge of computer and network security is of little relevance to the question of whether the corporate and customer information is properly secured, and a law requiring this type of disclosure is pretty much a waste. What counts at that level is that the directors as a group know that security is important to their customers and the corporation, and that they impress that upon the matter to the executives who manage the company and make their compensation and continued employment depend on that. And that is not something the law can do a great deal about except after an event, as the damage becomes clear and the need for blame arises.
A law criminalizing and punishing security failures, or requiring that the corporation make whole those actually damaged, might be a better approach. We really do not need another law that replaces substance with form and statements of compliance.
Please don't tar all MBA's with the same brush. I have one and I can also write firewall rules with iptables.
I've even written Unix device drivers
I did the MBA so that I can use proper MBA speak to tell those other MBA's that are talking a pile of shite.
I'm posting ANON because I know my current boss reads this site and I don't put my MBA on my CV because I am not a manager but a techie. If I were to put it on then I'd not be considered for techie roles because I would be considered overqualified.
This sonds like self-ccertification of security to me. I mean,, it's easy enough to recruit an extra board member and calll them 'Chief Cybersecurity Officer' or something and then bung a few paragraphs in your company's annual report about how you take it oh-so-very-seriously and do x, y and z. But how does this help if you' then have to rely on this being effective, with the only hope being shareholder lawsuits if it turns out not to be?
As this is for publicly listed companies only, why not a standard compulsory yearly audit by a specialist unit within the stock exchanges where these companies are listed?
I've seen something similar working in a bank, where audits were mandatory, carried out by the central bank, long and arduous (believe me I had to read the huge tome of criteria and regulations and sit in some of the meetings) but obviously very thorough and effective in ensuring that the right standards were met.
By the way, the standards didn't just concern security, but quality of service and availability, and required quality control standards too. Also not a bad idea for other large corporations I might suggest.....
the Cybersecurity Disclosure Act of 2015 would oblige companies to add details of which, if any, of their directors know about online security in filing to the Securities and Exchange Commission
And so we get to see the Dunning–Kruger effect in action again.
Vic.
As with so many of these inititives it could be made to actually help improve things.
- How high is the reliance on hard-shell secutiry?
- How is the status of updates/upgrades?
- How is the culture with regards to inspecting/reviewing/actioning systems? What level signoff is required?
- How are promotions prevented from occuring on the basis of technification.
- What framework is followed and how often do you sign off on audits?
- Haw many layers of reporting ae between you and the lower middle-management + manual work.
- Where are your data stored and how is it secured?
dead easy and most "responsible" management will know the answers anyway, so it should be easy to report on and accept responsibility for.
Sure. It could improve the chances that people who know a bit about IT security1 get those cushy, remunerative board positions. In terms of reward per discernible unit effort, I'm hard-pressed to think of a better "job". Oh, sure, once a quarter you have to travel (expenses paid) to some resort for a "meeting", but I'd throw myself on that grenade.
1Abuse of the "cyber-" prefix should be punishable by jail time. Another perfectly good word ruined by lazy speakers and writers.
Please see Bloomberg, 30 June 2015, JPMorgan Reassigns Security Team Leader a Year After Data Breach.
JP Morgan could have ticked the Cybersecurity Disclosure Act box in good faith. That didn't stop the bank from being part of one of the biggest hacks in US history, JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
