Will New SEC Guidelines Play Into The Hands Of Cyber Attackers?


Credit: Tetra Images / Corbis

The Securities and Exchange Commission wants to make sure investors aren’t kept in the dark when companies lose valuable intellectual property in cyber attacks, whether it’s blueprints or unfiled patent applications. But some new guidelines from the agency may inadvertently leave those same companies even more vulnerable to cyber-invasions.

The guidelines, issued in October, came after Senators complained that companies often fail to disclose losses they incur at the hands of hackers. American firms have been victimized by such attacks for years, including a notorious 2010 incident in which Chinese hackers stole source code from Google (NSDQ: GOOG), Adobe (NSDQ: ADBE) and at least 20 other companies.

The SEC document is supposed to help companies determine when they must disclose “cyber incidents” to investors through routine public filings or special Form 8-K notices. While guidelines aren’t the same as laws, they shape compliance officers’ perceptions of what they have to report, and thus will shape information public companies include in their filings.

The agency notes that it is mindful that disclosures could provide a “roadmap” for intruders who may be snooping around for things like security manuals and blueprints, but the SEC nevertheless asks for very specific information. Here, for example, is what a firm should disclose if an attacker steals its intellectual property:

“the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition..”

Roland Trope, a lawyer and professor at West Point, says such rules are well-intentioned but misguided. Trope worries that the disclosures will be of interest not only to investors but also to hackers wishing to calibrate future attacks. He says the SEC filings could be akin to damage reports used by a military after a bombing raid.

Trope and fellow security expert Tom Smedinghoff shared these concerns in a letter this month to the ABA‘s subcommittee on cybersecurity, saying that disclosures “would undermine a company’s cybersecurity by providing precisely the sensitive cyber defense information that an adversary seeks in order to plan and execute a cyberattack on the enterprise.”

For now, it is unclear how many companies will disclose hacking attacks or what they will report. The Financial Times, however, has noted that executives may feel impelled to report on incidents ahead of whistle blowers who can receive large awards for tipping the SEC about when a company is not complying with the law.

In an interview with paidContent, Trope said that for now company lawyers will likely use vague language in an effort to avoid spilling too much. More broadly, Trope thinks the SEC is right to push for an end to the silence surrounding cyber-attacks but that it should instead focus on teaching companies how to nail down their high priority assets. This includes not just intellectual property but also internal manuals on cyber security — which too often are placed online where they can be siphoned by an intruder.

Instead, Trope advocates a form of security known to techies as “air gapping” and which, to the rest of us, sounds like something out of James Bond. An “air-gapped” security system involves placing sensitive information on a computer that is not connected to the internet at all. The computer should in turn be placed under guard in a secure room and only available to a handful of executives, who should also be monitored to ensure they do not download anything.

This form of old school security may sound heavy handed but it has been used for years by the nuclear industry and, says Trope, is infinitely preferable to any type of cloud-based system. “The cloud is the most insecure place on earth to put secure company information. No nuclear power company would put its cyber defense information in the public cloud.”

The views of Mr. Trope as expressed in this article are his own and have not been approved by and should not be attributed to the U.S. Military Academy, the Department of Defense, or the U.S. Government.

Comments are closed.