Inflection Point | Wake-Up Call: No Hedging Allowed
The U.S. Securities and Exchange Commission (SEC) is trying to make it clear: no hedging allowed when disclosing cyberattacks to the investing public.
Four companies were recently fined for making misleading statements about how the 2020 SolarWinds hack affected them:
?? Unisys, $4 million
?? Avaya, $1 million
?? Check Point, $995,000
?? Mimecast, $990,000
Each one either minimized the attack’s severity or didn’t disclose important information. This left investors unaware of the true impact.
These companies knew about the breaches early on. Yet, they publicly described their cyber risks as “hypothetical” or limited.
For example:
?? Unisys downplayed two actual breaches involving stolen data.
?? Avaya claimed only a few emails were accessed, though 145 files were also compromised.
?? Check Point used only generic terms to describe the risk, avoiding the real impact.
Unisys also faced issues with its disclosure controls. The SEC noted they lacked proper systems to ensure public statements matched reality.
Cybersecurity is now part of corporate governance and compliance. Failure to align these areas can lead to penalties and other damage.
Given what happened to these four companies, I want you to ask yourself why the governance functions at each one acted this way.
I think it’s because reputation is a company’s #1 digital asset and senior decision-makers are tempted to say or do anything to protect it, even if it’s unethical or illegal.
After all, no matter how big you are, or how much money you have, if no one trusts you, then you’re facing bankruptcy.
What do you think? Could this be a wake-up call for all public companies? How are these two opposing forces going to get reconciled?
Click 'comment' and let me know.
I read every comment you post.
-Kip
P.S. Please forward this "Inflection Point" to someone you care about.
Subscribe here !
Current Podcast Episode: “Cybersecurity Hiring Manager Insights”
What’s the current cybersecurity hiring manager’s perspective on hiring? Talent scouting, employer reputation, etc.?
Let’s find out with our guest, Reanna Schultz . Your hosts are Kip Boyle , CISO with Cyber Risk Opportunities LLC , and Jake Bernstein, CISSP, CIPP/US , Partner with K&L Gates .
??????RESOURCES??????
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015, after seven years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
113 Cherry St #92768, Seattle, WA 98104-2205
Crafting Quality & Scalable Code | IT Consultant for Startups & SMBs | Web & Mobile App Development Expert | Backend Developer | Full Stack Developer | Data Scientist | Python | Node.js | FastAPI | AsyncIO
3 小时前The SEC's new rules on cybersecurity disclosure are a significant step towards greater transparency and accountability for public companies. Kip Boyle
Cyber Risk Analyst | Security Enthusiast | Indigenous
10 小时前Something I've learned is that if your IT department asks you "but do we really have to make a statement about this...?", that means you most likely have to make a statement
IT Strategist, Builder, Optimizer, Evangelist
12 小时前Absolutely! For every incident we hear about, how many more occurred w/o public knowledge? It must be tempting for business leaders to diminish the severity, push back on IT, find an out of some kind. 'Are we 100% sure they exfiltrated this data?!' Business leadership and IT are motivated to avoid the PR bruise, so *both* are eager to ingest rationalization from the other.