Does blasting the SEC for failing to act on warnings help cybersecurity?

Posted byShawn E. Tuma Leave a comment on Does blasting the SEC for failing to act on warnings help cybersecurity?

On the heels of the Equifax breach, the United States Securities and Exchange Commission (SEC) disclosed on September 20, 2017, that it had been hacked way back in 2016. It further disclosed that about a month ago it learned the hackers may have used their access for illegal online trading. With the SEC’s regulatory enforcement role in investigating and bringing enforcement actions against companies that have had cybersecurity incidents combined with its recent exercise of that power to join the Federal Trade Commission in being a key regulatory over cybersecurity, many are taking umbrage.

This post has nothing to do with any of that.

On July 27, 2017, the U.S. Government Accountability Office (GAO) issued a report assessing the SEC’s cybersecurity posture and recommending that the SEC take specific actions to improve its cybersecurity. Effectively, a risk assessment. Now, in the wake of the SEC’s announcement, many are jumping on the “the SEC failed to act” bandwagon. As tempting as this bandwagon may be, as I thought more about it, I wondered whether this is good for cybersecurity as a whole? Is this a good thing to be focsing on?

As tempting as this bandwagon may be, as I thought more about it, I wondered whether this is good for cybersecurity as a whole, which led me to a couple of questions to consider:

  1. Do any of us really believe there is any organization in the United States or even the world, that is 100% cyber secure–that is, that has no vulnerabilities or areas for improvement?
  2. Do any of us really believe that our own organization is 100% cyber secure, having no vulnerabilities or areas for improvement?
  3. What is the first thing many experienced cybersecurity professionals are encouraging organizations to do when beginning the journey of developing and maturing their own cyber risk management program?

If you answered the last question with something to the effect of “start with a risk assessment” then you are correct.

So, if no company is 100% cyber secure and every organization should start with a risk assessment, doesn’t it stand to reason that every single organization in the world will have “warnings” that they must heed in the event they later have an incident?

And, when an organization does obtain a risk assessment, how many are able to implement every recommendation, immediately?

If it is virtually guaranteed that an organization obtaining a quality risk assessment will result in it receiving recommendations that it is unable to immediately implement, and such recommendations will later be used against it if it has an incident, does this encourage organizations to obtain a risk assessment?

What do you think? Does the “the SEC failed to act” bandwagon advance the overall cause of cybersecurity?

 

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading