Cybersecurity Monitor: June 2016

IN THIS ISSUE
New research indicates that both the frequency and cost of data breaches are trending upward. There were increases in the average size of a data breach, the average cost for each record lost, and the total cost of each incident. Unsurprisingly, abnormal customer churn increases following data breach incidents. Customers are showing they expect companies to understand that cybersecurity is a critical element of their business operations. Although the U.S. Securities and Exchange Commission has undertaken no enforcement actions against publicly-traded companies over cybersecurity-related incidents, they cannot afford to be complacent. The SEC has made clear both what it expects of public companies in the event of a breach and what companies are required to disclose to investors about the risks of a cyberattack. It is not a question of if, but when, the agency brings an enforcement action against a public company.

STUDY REVEALS COST OF CYBER BREACHES
Data breaches are expensive. But just how expensive? According to a newIBM/Ponemon Institute survey of 64 U.S. companies in 16 industry sectors, the average cost for each lost or stolen record containing sensitive and confidential information increased from $217 in 2014 to $221 in 2015. Over that same period, the total average cost that organizations paid increased from $6.53 million to $7.01 million. The study identified a number of factors contributing to the increase, including:
  • The average size of a data breach (number of records lost or stolen) increased by 5 percent.
  • Abnormal churn (defined as a greater than expected loss of customers in the normal course of business) increased by 3 percent.
  • Fifty percent of incidents in 2015 involved a malicious or criminal attack, and data breaches due to malicious or criminal attacks cost $236 per misappropriated record.
  • Average detection and escalation costs increased dramatically from $0.61 million to $0.73 million, suggesting that companies are investing more heavily in these activities.
  • Post data breach costs – such as help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services and regulatory interventions – increased from $1.64 million in 2014 to $1.72 million in 2015.

But in the 11 years IBM and the Ponemon Institute have conducted the study, they have also identified lessons for reducing the costs of data breaches. Investments in technologies and in-house expertise, for instance, can lower costs by reducing the time it takes to detect and contain breaches. Additionally, incident response plans, appointment of a chief information security officer, employee training and awareness programs, and a business continuity management strategy result in cost savings. The study also found that organizations can reduce costs when they participate in threat sharing and deployed data loss prevention technologies such as encryption.

SEC CONTINUING FOCUS ON DATA SECURITY
On June 8, the Securities and Exchange Commission (SEC) announced that Morgan Stanley Smith Barney LLC had agreed to pay a $1 million penalty to settle charges that the firm had failed to adopt written policies and procedures reasonably designed to protect customer data. The SEC settled similar cases in April of this year and in September 2015. In all three cases, the SEC charged the firms with having violated Rule 30(a) of  Regulation S-P – otherwise known as the “Safeguards Rule” – which requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures addressing administrative, technical, and physical safeguards that are reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customers records and information; and (3) protect against unauthorized access to or use of customers records or information that could result in substantial harm or inconvenience to any customer.

That the SEC’s first cybersecurity-related enforcement actions targeted the securities industry is not surprising. In January 2014, the agency’s Office of Compliance Inspections and Examinations (OCIE) announced that its securities industry examination priorities for the year included cybersecurity preparedness. OCIE affirmed its intent in April when it announced that it would examine “more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.” Furthermore, in September 2015, OCIE launched an examination initiativespecifically targeting securities firms’ cybersecurity procedures and controls.

All indications are that the SEC will continue this focus on the securities industry’s cybersecurity policies and practices. In May of this year, Chair Mary Jo White told a financial regulation conference that cybersecurity is the biggest risk facing the financial system. "We can't do enough in this sector," she said. And earlier this month, the head of the SEC’s Chicago Regional Officepredicted there would be more enforcement actions in this area. “We expect firms to be diligent, we expect them to be thinking about this area, we expect that companies' procedures both from a policy perspective and a technology perspective are proportional to their risk,” he said.

Although all the enforcement cases thus far have targeted the securities industry, public companies should not be complacent. As Sidley Austin LLPrecently noted, “While Chair White’s statements are not surprising to those closely watching the SEC’s growing interest in the area, regulated entities – and, to a certain extent, potentially even public issuers – are once again put on notice that the SEC views the development and implementation of specific programs and policies to mitigate cybersecurity risks and respond to incidents as a necessary element of corporate governance.” It is not a question of if, but when, the agency brings an enforcement action against a public company.

There is no expectation – at least in the near future – that the SEC will seek new cybersecurity rules targeting public companies. Rather, as with the securities industry, any enforcement actions would be brought under current securities laws, especially the disclosure requirements in Regulation S-K. Already in 2011, the agency’s Division of Corporation Finance issued guidanceto public companies on when they may be obliged to disclose cyber risks or events. Companies must, for instance, disclose in Form 10-K: significant risks “that make an investment in the company speculative or risky”; cyber risks and incidents in Management’s Discussion & Analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition”; and material legal litigation.

AROUND CONGRESS

  • Senators Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.) on June 14announced the creation of the Senate Cybersecurity Caucus. According to the press release, “The caucus will focus on various aspects of the cybersecurity problem, including impacts on national security, the economy, and digital security.  The caucus will provide unique opportunities to inform Senators on the major cyber policy issues facing Congress, introduce Senators and their staff to leading cybersecurity experts, and promote bipartisan and cross-jurisdictional discussions on this important issue.” The House established the Congressional Cybersecurity Caucus in 2008.
  • On June 6, Sens. David Vitter (R-La.) and Gary Peters (D-Mich.) introduced S. 3024, the Small Business Cyber Security Improvements Act. The bill, like its companion in the House, H.R. 5064, would authorize the Small Business Administration, via its network of Small Business Development Centers (SBDCs), to assist small businesses in developing or enhancing their cybersecurity infrastructure, cyber threat awareness, and cyber training programs for employees. The bill was quickly approved in committee and sent to the full Senate.
  • Sens. Angus King (I-Maine), Jim Risch (R-Idaho), Martin Heinrich (D-N.M.), and Susan Collins (R-Maine) on June 6 introduced S. 3018, theSecuring Energy Infrastructure Act. The bill “would examine solutions to defend the U.S. energy grid by replacing key devices like computer-connected operating systems that are vulnerable to cyber-attacks with analog and human-operated systems – a ‘retro’ approach that has shown promise as a safeguard against cyber-attacks,” according to the press release.