[BreachExchange] SEC sounds cyber 'wake-up call' to public companies

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 4 14:45:47 EDT 2018


The Securities and Exchange Commission announced an unprecedented $35
million cybersecurity penalty last week against Altaba Inc., putting other
publicly traded companies on notice.

The financial regulator claimed Altaba, formerly known as Yahoo Inc.,
brushed a "massive" 2014 cybersecurity breach under the rug, keeping
investors in the dark for two years about a hack affecting hundreds of
millions of its users.

The fine adds teeth to recent SEC guidance on cybersecurity disclosure,
experts say (Energywire, Feb. 22).

"Everybody was waiting on the SEC to drop the hammer," said Patrick Miller,
managing partner at Archer Energy Solutions. "Anybody that doesn't disclose
what could potentially be a market-swinging data breach is going to have
similar problems."

Miller said he expects the first-of-its-kind penalty to reverberate among
large electricity companies. "They're bound by the SEC like anyone
[investor-owned] is, whether they're selling sneakers or electrons."

The Yahoo data breach — really a series of cyber intrusions dating back to
at least 2014 — ranks among the largest in history, affecting 3 billion
accounts at the former tech giant. Verizon Communications Inc. bought most
of Yahoo's assets in 2016, and the remnants of the company became Altaba.

Yahoo executives knew they had lost their "crown jewels" in late 2014, the
SEC says, including usernames, email addresses, birthdays and answers to
security questions, among other data. But the company kept mum about the
crisis, at least publicly, until December 2016. Altaba declined comment on
last week's settlement with the SEC, in which it neither confirmed nor
denied the breach.

"We do not second-guess good faith exercises of judgment about
cyber-incident disclosure," said Steven Peikin, co-director of the SEC
Division of Enforcement. "But we have also cautioned that a company's
response to such an event could be so lacking that an enforcement action
would be warranted. This is clearly such a case."

Riana Pfefferkorn, cryptography fellow at Stanford Law School's Center for
Internet and Society, said the enforcement action could "light a fire"
under other public companies to disclose their own cybersecurity incidents,
though the case may not help determine where to set the bar for reporting.

"If you're an executive for a publicly traded company, you might be looking
at this data saying, 'That was so bad — laughably bad,'" she said. "'How do
we know, when we have an incident like this, where that falls on the
spectrum of what the SEC's going to decide merits enforcement?'"

Pfefferkorn suggested companies are likely to continue underreporting
cybersecurity incidents despite the $35 million settlement. She pointed to
several factors weighing against disclosure, from a desire to avoid giving
away any information that could be used in future attacks, to pressure from
law enforcement who may not want to tip off hackers to an ongoing

Still, the SEC has cautioned that the presence of an internal or external
investigation isn't grounds to avoid sharing general information about a
significant incident.

"It's not a get-out-of-reporting-free card," Pfefferkorn said.

She was also skeptical of claims that sharing data about an attack or
intrusion could open the door for more malicious activity in the future.

"I understand the desire not to put in too much detail," she said. "But I
think there are ways of saying enough to comply, and give meaningful
information to your investors, without necessarily giving a road map to

Life and limb

Major energy companies have drawn a sharp line between a "material" breach
and more mundane attempted cyber intrusions, while still opting to disclose
the latter to investors.

Entergy Corp. pointed out in an SEC filing earlier this year that it had
been subject to scrutiny from hackers (Energywire, Feb. 8).

"While malware was recently discovered on our corporate network and
remediated on a timely basis, it did not affect the company's operational
systems, nuclear plants or transmission network, nor did it have a material
effect on our operations," Entergy said.

Exelon Corp., which owns and operates gas and electric utilities across the
U.S., said in a recent filing that the risk of security breaches "continues
to intensify."

"While the Registrants have been, and will likely continue to be, subjected
to physical and cyber-attacks, to date none has directly experienced a
material breach or disruption to its network or information systems or our
service operations," the company said, while cautioning that subsidiaries
"may be unable to prevent all such attacks in the future."

Michelle Reed, co-leader of Akin Gump Strauss Hauer & Feld LLP's
cybersecurity, privacy and data protection practice, said in an email that
the harm that can befall energy companies may make them more inclined to
disclose their cybersecurity risks.

"Companies should be considering very closely what systems they have in
place to identify even the small breaches to make sure that it isn't laying
a predicate for a future breach of more devastating consequences," she said.

While Reed said she expects the "trickle of disclosures" to tick up
following the Yahoo/Altaba enforcement action, she warned against going
overboard with new reporting.

"Companies should be aware of concerns related to burying disclosures:
courts have recognized the harm that can be caused to investors by an
'avalanche of trivial information,'" she said.

Electricity companies already face an avalanche of routine threats, the
vast majority of which are rebuffed without fanfare, according to recent

Some firms can face "thousands to millions of 'attempts' per day, depending
on how an attempt to compromise is defined," said the Edison Electric
Institute, which represents major investor-owned utilities, and the
National Rural Electric Cooperative Association, in February commentsto the
Federal Energy Regulatory Commission.

Reporting such a flood of events to any regulator — be it the SEC or FERC,
which is weighing expanded reporting rules for bulk power utilities — would
be a daunting task, in the industry's telling.

"Much of these attempts are not likely to be malicious attempts, but
entities would have to inspect and analyze every packet that attempts to
enter their network to filter through all of the rejected noise and 'find
the needle in the haystack' based on a determination of a sender's intent,"
EEI and NRECA said.

But if a malicious attempt slips through a utility's defenses, the effects
could be dire.

Tom Finan, client engagement and strategy leader at risk management and
insurance firm Willis Towers Watson, said a "material" cyber event in the
electric sector could put more than user data at stake.

"Hackers want to go after attractive targets — historically it's been data
and money," said Finan, a former Department of Homeland Security
cybersecurity official. "But with the trends we've been seeing, there's a
lot of interest in meddling with critical infrastructure like oil and
natural gas, and the electric sector.

"The consequences there are not only going to be financial and
reputational; it's going to affect life and limb, as well," Finan said.

Finan called the SEC penalty move a "wake-up call" for the private sector,
suggesting it will spur executives to treat cybersecurity seriously, if
they don't already.

"Cyber risk is a business risk that just can't be ignored," he said. "And
if it's not treated as a business risk, there are going to be consequences."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180504/c3b23b8d/attachment.html>

More information about the BreachExchange mailing list