In an interview with CNBC, SEC Chairman Jay Clayton said that cybersecurity risks are foremost on his mind, cyber risks are on the rise and greater than ever, and that basic cyber hygiene such as strong patching strategy and cadences were very important.
Chairman Clayton noted that the US Government’s Cybersecurity and Infrastructure Security Agency (CISA) issued 30 alerts in October. He stressed that coordination and good information sharing across firms and government about attacks is key, stating ‘I can’t emphasize enough that cyber hygiene helps us all.’ He called for businesses to prioritize preparation and prevention steps against ransomware attacks such as establishing multiple back-up systems and called for companies suffering a ransomware attack to reach out to law enforcement and the SEC for help.
The SEC has consistently warned businesses of the risks of cyber-attacks and the systemic risk they pose to critical infrastructure in the financial system. Chairman Clayton’s call for businesses to report cyber-attacks to authorities is a reminder that in most jurisdictions including the US, such reporting is still often not mandated by law. The US Department of Justice has called for this to change, and this is an important issue that will hopefully get addressed by whichever administration and Congress is in place in the US next year.
Mandated reporting would have a positive impact on overall cyber security in multiple ways. It would give authorities and companies a better picture of the threat landscape and actors, and therefore theoretically allow them to better combat cyber criminals. But it would also encourage companies that are deficient in cyber governance to make the improvements necessary to reduce the likelihood of a significant breach, financial losses and in some cases.
While C-Suites may wish to keep embarrassing breaches quiet, the interests of all other key stakeholders—regulators, investors, vendors, clients, employees of the breached companies and broader public—are best served by vastly improved transparency.
Data is today’s most valuable asset, yet it continues to go largely unregulated. As we have highlighted before, well enforced regulation of how data is used and how well it is managed by companies is still needed as a pillar of the digital transformation that drives the global economy.