As companies chase emerging cybersecurity threats, regulators are increasingly scrutinizing breach disclosure speed, accuracy and informativeness.
For instance, the SEC recently cited real estate title insurance company First American Financial for “disclosure controls and procedures violations” related to a cybersecurity vulnerability that exposed over 800 million images of highly sensitive customer data. Without admitting guilt, First American Financial settled the case and agreed to a $487,616 fine.
While reporting enforcement actions are common, SEC took new aim in this case by targeting inadequate internal management communication. In an otherwise routine press release, Kristina Littman, the SEC Enforcement Division’s Cyber Unit Chief, delivered a stern warning to boards, c-suites and tech leaders.
“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” she emphasized. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” That’s a clarion call to shatter workplace resistance to bad news.
Cyberthreats are naturally elusive and rapidly changing. Recent well-publicized cyberbreaches evidence the susceptibility of even the presumably most secure technology firms, financial institutions and government agencies.
Since no organization can reasonably expect permanent and infallible cyber defenses, David Cowen, Managing Director, US Cyber Security Services at KPMG, advises that tech security discussions center on inevitable gaps.
MORE FOR YOU
“The biggest thing that people forget is that it’s important for the CIO to facilitate honest and transparent conversation between the board, its audit committee and the executive leadership team,” he explained. “Too often CIOs believe that they need to present a picture that 100% of everything is covered — and they don’t bring up or show the risk exceptions the business has accepted.”
Such clear expectations are critical to breach prevention and response. “Nine times out of ten when we observe an incident, it’s inherited from an accepted risk which was either mischaracterized or misinterpreted and it led to larger issues,” Cowen highlighted. “I think there’s this fear from the CIO side that if they bring up issues that somehow they’re to blame for them.”
Cowen argues that rather than agonizing about who “owns” the issues, CIOs should focus on “explaining the accepted risks so that [the leadership team] has a clear understanding and routine visibility of where exposure exists.”
That candid approach delivers two clear and valuable benefits, according to Cowen. “First, if there is an issue, no one can say they didn’t know,” he said. “Secondly, and more importantly, before there is an issue, the board can decide whether it’s worth funding efforts to fix those vulnerabilities.”
Yet, solely focusing on cybersecurity breaches limits boards’ understanding of IT controls. CIOs can better illustrate existing risks by detailing averted hazards.
“For every company there are going to be actual incidents that get the board’s attention. There should be hundreds of other incidents that the existing controls helped mitigate,” Cowen observed. “CIOs should routinely provide visibility to how many ‘near misses’ were mitigated or didn’t require disclosure. These specific examples go a long way to help the board to appreciate real cyber risks.”
Tech leaders must be cognizant to emphasize the business relevance, rather than incidents’ technological details. Cowen continued, “Technically it’s IT system risk, but CIOs must help the board understand how these risks can affect company reputation. Breaches undermine marketplace trust, generate regulator inquiries and can potentially result in litigation – from customers, suppliers, business partners or shareholders.”
Such insights can also inform and guide the board’s risk mitigation funding decisions. “If you explain risk in terms they understand, show them that risk exists and how additional funds can help to reduce risk — that’s something easy for [boards] to grasp,” Cowen detailed. “Ultimately, the board will elect to accept the risk or direct budgets to reduce potential exposure revealed by near misses.”
Despite the best efforts, breaches occur. Cybersecurity emergency response protocols must explicitly coordinate tech team and internal audit responsibilities.
Such diligent planning eases common board, auditor and regulator concerns, while also significantly reducing cybersecurity crisis costs and decision pressure.
However, well-designed cybersecurity policies lacking sufficient internal reporting and oversight can result in failed remediation and inadequate disclosure. In the First American Financial case, an investigative journalist, Brian Krebs, unearthed the extensive customer data vulnerabilities. The SEC concluded that ensuing company disclosures preceded executives’ knowledge of unaddressed, months-old IT security reports. That’s truly every CFO’s worst nightmare.
“Too many times IT’s incident response team is siloed away from internal audit. That raises the chances of inconsistent reporting and results in a lot of redundant work and potentially flawed disclosures,” Cowen recalled. “Communication clarity is the most critical element in incident response, because it enables teams to work effectively without wondering who’s supposed to be doing what.”
Not all cyberbreaches necessitate public disclosure. However, facing relentless breach attempts, boards and c-suites must demand internal transparency and instill mutual accountability. Otherwise, workplace hesitancy and blame-shifting conceal growing problems, boost hackers’ leverage and eventually awaken regulator scrutiny.
No company can possibly keep pace with evolving IT security threats. As cyber-defenses adapt, one leadership advantage remains timeless — effective human communication. In the long run, isn’t that always what’s best for business?