Download to read offline
Capstone Final Presentation
- 1. Cybersecurity Disclosure: The EmphasizedNeed for Regulatory Framework By: C. Caden, K. Kuley, N. Naour, M. Nash, K. Uppal
- 2. Cloud Computing a modelfor enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. -National Institute for Standards and Technology or more simply… “providing large-scale computing resources over the internet” Cybersecurity "Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights
- 3. Increased use ofIT and Cloud Computing
- 4. Cybersecurity is notJust an IT Issue Cybersecurity risk management is an enterprise-wide issue, should not be left to IT department Management’s reliance on IT General controls can impose negative effects, if controls fail. Governance of Enterprise Security: Carnegie Melon CyLab 2012 Report
- 6.
- 7. External Analysis- Legal “Thehistory of cybersecurity law reflect a mix of legal areas and sources: cybercrime, cyber warfare, national security (protection of critical infrastructure), legislative statutes, and presidential directive (Flowers et al, 2012).” Cybersecurity Law compared with: Law Enforcement and the Law of Armed Conflict Environmental Law Antitrust Laws Cartels, Price Fixing Products Liability Criminal Negligence
- 8.
- 9. Internal Analysis Disclosure cannotbe so detailed and specific that the disclosure itself would harm the organization's cyber security. Knowing when to disclose and what is material Downstream disclosures
- 10. Existing Frameworks/Guidelines CF DG2- Corporate Financial Disclosure Guidance 2 NIST - National Institute of Security and Technology HIPAA - Health Insurance Portability and Accountability Act COBIT 5 - Control Objectives for Information Technology CFATS-Chemical Facility Anti-Terrorism Standards GLBA - Gramm- Leach - Bliley Act ISO - International Standards Organization IEC - International Electrotechnical Commission .
- 11. Existing Guideline ~CF DG 2 Corporate Financial Disclosure Guidance Topic 2 (CF DG 2) No specific obligation, falls under other obligations Boiler plate When to disclose Risk Factor (10K) Disclose in the MD&A if the cost/consequences are material Remediation, Prevention, litigation, Qualitative
- 12. Existing Guideline ~CF DG 2 ~ Reality More of a rule Materiality does not matter Boilerplate disclosures Lack of guidance
- 13. Existing Frameworks -HIPAA Health Insurance Portability and Accountability Act - Law governing health care organizations to ensure patient health info remains confidential. 2003 Privacy Regulations: 1. Enact reasonable safeguards that protect the privacy of patient-identifiable information in any form whether it is electronic, written or oral. For example, one such step may be establishing policies that patient information is not to be discussed in public areas. 2. Hospitals must also implement minimum necessary policies and procedures that limit how much protected health information is used, disclosed and requested for certain purposes. 3. Provide training for staff on privacy procedures. (Yoder, 2003) Advantages - Goal is to inform, Mandatory Disadvantages - Limited to Healthcare entities, Limited Access Controls, inadequate monitoring and auditing of information systems, Lack of security incident and disaster recovery plan
- 14. Cybersecurity Framework 1.0-NIST An agency within the U.S Department of Commerce, the National Institute of Science and Technology (NIST) conducts extensive research in measurement science and establishes standards in order to promote economic security. The framework core component consists of these core functions: identify, protect, detect, respond, recover. The framework correlates each function with industry standards, including categories and subcategories for each function.
- 15. Lack of Obligatory Framework Themain issue to be discussed is the lack of an overarching formal framework or standard in regards to cyber-attacks. Particularly relating to communicating related to cyber-attacks, and even the potential cyberattacks shareholders. This needs to be addressed in order to limit information asymmetry.
- 16. Keyword Analysis Findings: -Mostdisclosures are boilerplate -Industries with existing frameworks had higher number of instances -Higher rate of disclosures now than in 2004.
- 17. Keyword Analysis JP MorganChase - October 2, 2014 Approximately 200 million people’s contact info stolen (~62% of United Stated)
- 18.
- 19. NIST RFI Analysis- Opinions on Transition
- 20. Recommendation Push towards rules-basedframework Everyone is on the same page, Security conscious environment, Reduce cost In line with audit firms “Sales (2013) suggests the need for industry-wide security standards; these rules should be developed through partnership between regulatory agencies and private firms, rather than directly imposed via direct regulation”
- 21. Implementation Plan ISO shouldincorporate NIST to increase international outreach Using NIST as ‘backbone’ Incorporated into SEC/CSA Appoint cybersecurity specialist to board of directors SEC will have to decide if it will remain voluntary for certain industries or companies, to reduce issues for new/small companies Should continue to solicit information from users of the framework via RFIs and updates continues Set a date for standardizing the voluntary framework. Allowing non-compliant companies some time to become compliant.
- 22.
Editor's Notes
- #2 “The Vice-President of the European Commission responsible for the Digital Agenda, Neelie Kroes, emphasized the critical role the cloud can play in the economic growth of member countries and emphasized the need to develop appropriate regulative framework (Kshetri, 2013).”
- #3 “Information security risk is defined as a combination of the likelihood of an event, that are incidents or attacks on the information systems, cause negative impact on asset, group of asset or an organization (ISO27K).” "Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights “Cybersecurity can be understood as efforts to secure digital information, the equipment that process that information, and the means of transmitting that information among devices. At its core, cybersecurity involves information security or assurance- preserving the confidentiality, availability, and integrity of information (Delaney, 2014).”
- #5 “Organizations rely on IT systems in order to implement internal controls but when IT-related controls fail, this can impose negative implications on automatic financial reporting systems...” (Haislip, Peters, Richardson, 2016) Less than two-thirds of the Forbes Global 2000 companies responding to the survey have full-time personnel in key roles responsible for privacy and security (CIO, CISO) Research findings suggest that audit firms with specialization in IT can benefit organizations through extensive monitoring, which as a result can decrease the number of IT material weaknesses being reported. In other words, improved IT training can improve audit quality and ultimately financial reporting. (Haislip, Peters, Richardson, 2016).
- #7 According to the Director of National Security Agency and head of the U.S. Cyber Command, General Keith B. Alexander, “cyber attacks have resulted in the greatest transfer of wealth in history (Source).” “Szewczyk (1992) found that investors draw inferences about the prospects of the industry as a whole rather than narrowly viewing the given security breach event as a shift in competitive advantage between the announcing firm and its industry competitors (Zafar et el. 2012).”
- #8 “The rapid expansion of these new technologies has often left the legal system lagging behind when responding to the criminality these technologies bring about (Flowers et al. 2012).”
- #9 Quadrant 1: foreign governments are unlikely to target insignificant firms such as retailers (no incentive) Quadrant 2: low frequency, high severity (ISP’s & public utilities targeted by foreign militaries and intelligence services) Quadrant 3: recreational hackers/hacktivists targeted utilities and similarly significant enterprises (no incentive) Quadrant 4: high frequency, low severity attacks (retailers targeted by unsophisticated recreational hackers) Lower-left corner: socially optimal amount invested in cyber-defence (less investment needed) Top-right corner: lower the probability that the firm is adequately investing in cyber security (more investment needed) Real life analogy: factories and infrastructure were not expected to install anti-aircraft artillery during WWII to defend themselves from German bombers, nor should we now expect them to defend themselves from foreign governments’ cyber attacks. E-stonia Example
- #10 There are a few internal issues that arise when it comes to Cybersecurity disclosures that we would like to emphasize here. The first being the detail of within the cybersecurity disclosures. What I mean by this first point is that disclosures can be too specific and essentially create a roadmap for potential hackers, which can point out vulnerabilities and entry points. Another issue faced internally is knowing when to disclose and what is material, Not every breach or attempted breach needs to be disclosed. The question needs to be “if the reasonable investor would expect to know about the risks and about the event” The final internal factor is downstream disclosures. What downstream disclosures are basically Company B who supplies inventory to Company A. Company B has weak security and gets breached and information from Company A is stolen. These downstream disclosure are vital for removing the asymmetry of information between stakeholders and the company.
- #12 Corporate Financial disclosure guidance topic 2 from the SEC is the current guidance. With the CF DG 2 there is no specific obligation to disclose the prior attacks, or the risk or threats of future attacks, however these risk and threats could fall under another disclosure obligation. The CF DG 2 also states that the disclosures when they are necessary need to be specific to the organization or industry, meaning disclosures should vary between industries as each industry will have its own set of risk and challenges. The term used for this in the CF DG 2 is no “boilerplate” disclosures, a boilerplate is a unit of writing that can be used over and over again One reason why an organization would disclose according the the SEC is when there is a significant risk factor. This risk would need to be assessed by the organization, some factors that would increase the risk of cyber attacks or incidents would be any prior attacks, what was the impact of these attacks? and how frequent are the attacks. We also look at the likelihood, magnitude, velocity, and persistence of the attacks. So you should know about these terms from studying the risk assessment in the COSO framework so I won’t be going over them. Then you would look at the controls you have set in place to prevent an attack, this obviously decrease the risk. You would also have a need to disclose in the MD&A when the cost or the consequences of a cyber attack have been determined to be material in nature. Some of the cost you would be looking at would remediation cost so cost incurred to fix the problem such as customer retention incentives, cost to restore the system. Prevention cost, cost associated to prevent an attack in the future and to better secure your system after an attack. Lost revenue this could be due to a denial of service attack, or lost revenue from being shut down to fix the problem, or a more serious case when proprietary information is stolen. Litigation cost, so obviously the cost of any legal proceeds that may be incurred, and the lost of brand image which is a intangible cost but a very important one to note. Just to note there are other reasons one may have to disclose such as legal proceeding for example however I just wanted to give an idea of the main idea behind CF DG 2 which is that it is focused on disclosures that are or could be material, and that may influence then Users opinion on the riskiness of the organization.
- #13 So the Albany Law Review studied 10 different cases of the SEC requesting disclosures directly quoting the CF DG 2 and reviewed them to see in reality how the CF DG 2 held up. What they found was first of all the CF DG 2 does not seem to be a guideline but more of a rule. What seemed to be happening is the SEC sent out the request letter, and the companies would reply stating there reasoning for not disclosing any more information, the SEC would then send another request letter. In the end in all cases the company gave in and complied with the SEC, this is no shock as repeated request from the SEC are probably easier to comply with than to try and fight. The Second finding was that materiality did not matter, it was found that any prior or potential attack needed to be disclosed material or not. This was discovered by the companies explaining that they did not find the risk to be material and then SEC requesting again that it be disclosed. Some disclosures even included points that state “we do not find the risk to be material” The SEC CF DG 2 stated it does not want boilerplate disclosures however through the case studies it was determined that this is exactly the case. “The cybersecurity disclosures of Amazon, AIG, and Quest Diagnostics are strikingly similar” (Albany Law Review 2014) This factor we believe is brought on by a lack of guidance of what needs to be disclosed, companies are encouraged to not disclose to detailed information that could potentially harm them, but enough to satisfy the SEC, so they begin to release boilerplate disclosures that are just enough for the SEC to be satisfied. The final thing is exactly waht it is just a guideline, even though it was stated that it looks more like a rule, this is only when the SEC sends a letter of request, which according to Chairwoman White they sent 50 letters a number she seems quite happy with, however 50 out of over ten thousand companies reigstrered with the SEC is less than 1%. This means it is hard to determine if the company in question in fact met the minimal guidelines set forth by CF DG 2 or not, this couple with the boilerplate disclosures we are witnessing seemly makes the guideline useless to the Shareholder.
- #15 An agency within the U.S Department of Commerce, NIST conducts extensive research in measurement science and establishes standards in order to promote economic security. The organization has been at the forefront of many established standards including the infancy U.S electrical safety code, radiation standards, the world’s first DNA profiling standard and the list goes on. In early 2013, the U.S president issued an executive order, aiming at enhancing the security of the nation’s cyber environment, requiring a voluntary framework be created in order cope with the associated risks of cyber security in regards to the nation’s security, economy, public safety and health. As a result NIST has developed the risk-based Cybersecurity Framework Version 1.0 a year later, through the collaboration of the government and private sector. The framework aim is to allow organizations to assess their cybersecurity environment in order to identify weaknesses and opportunities and communicate those risks with stakeholders. The framework core (one of three components) consists of these core functions: identify, protect, detect, respond, recover. The framework correlates each function with industry standards, including categories and subcategories for each function. In addition to the risk management guidance provided by NIST’s cybersecurity framework, a general set of considerations and processes is provided in protecting the individual privacy from cybersecurity risk. The framework recommends measures organizations can take in order to mitigate certain threats and emphasizes that those that operate or own critical government infrastructure, have a direct responsibility to protect those privacies. Many organizations have benefited from such a framework however argue it does not accomplish enough in regards to risk management. (cite article on NIST boi). NIST is in development of framework 2.0, with the assistance and recommendations from industry participants.
- #17 In a 2010 study, the Market Value of Voluntary Disclosures Concerning Information Security by Gordon, Loeb and Sohail primarily connected voluntary information security disclosures to stock market prices and overall market value. Within their study, they also performed an analysis of over 5,700 firms’ SEC disclosures (primarily annual reports and 10-k reports, between the years of 2000 and 2004), running them through a meta-search engine which identified certain predetermined terms and keywords. The study found that 86.19% of firms did not have any disclosures related to information security. In response to study, we decided to perform an analysis of 2014 and 2015 SEC documents, in a similar manner and methodology. In order to maintain comparability, we used the same documents (mainly annual reports and 10-ks), and ensured that each individual instance was related to information security. Our study looked at 20 companies from five different broad industries: Banking and financial service industry, aerospace and defence industry, information technology industry, health and health services industry, and energy and utilities industry. The companies were all publically traded, and our goal was to discover if companies had increased their general information security disclosures. Given the increase in information security risks since the past study, we hypothesized that we would find an increase in disclosures. In the health and health services industry, we found that many of the instances were related to the HIPAA (Health Insurance Portability and Accountability Act) requirements, surrounding the protection of customer and patient information, and this may be a reason for the large number of instances, considering that the majority of keywords found in that industry were “cyber security,” “breach,” and “cyber attack,” topics which HIPAA covers. Similarly, in the technology industry, we saw a large number of instances of the terms breach and cloud. One example was Adobe, who had somewhere around 200 instances of the word “cloud” in their disclosures, however they have two products, Adobe Marketing Cloud and Adobe Creative Cloud, which were heavily discussed, and accounted for about 95% of the instances, so we were forced to read through almost the entire document. The fewest disclosures came from the aerospace and defence industry, which was not really surprising, considering it is easily the industry where security in general would be taken most seriously. It is possible that some of the companies we looked at did not disclose very much information at all, in hopes of deterring potential harm from cyber incidents down the road. As mentioned above, some companies view cyber disclosures as a potentially risky disclosure, which may give potential attackers a sort of “roadmap” to breaching their system.
- #18 In a 2010 study, the Market Value of Voluntary Disclosures Concerning Information Security by Gordon, Loeb and Sohail primarily connected voluntary information security disclosures to stock market prices and overall market value. Within their study, they also performed an analysis of over 5,700 firms’ SEC disclosures (primarily annual reports and 10-k reports, between the years of 2000 and 2004), running them through a meta-search engine which identified certain predetermined terms and keywords. The study found that 86.19% of firms did not have any disclosures related to information security. In response to study, we decided to perform an analysis of 2014 and 2015 SEC documents, in a similar manner and methodology. In order to maintain comparability, we used the same documents (mainly annual reports and 10-ks), and ensured that each individual instance was related to information security. Our study looked at 20 companies from five different broad industries: Banking and financial service industry, aerospace and defence industry, information technology industry, health and health services industry, and energy and utilities industry. The companies were all publically traded, and our goal was to discover if companies had increased their general information security disclosures. Given the increase in information security risks since the past study, we hypothesized that we would find an increase in disclosures. In the health and health services industry, we found that many of the instances were related to the HIPAA (Health Insurance Portability and Accountability Act) requirements, surrounding the protection of customer and patient information, and this may be a reason for the large number of instances, considering that the majority of keywords found in that industry were “cyber security,” “breach,” and “cyber attack,” topics which HIPAA covers. Similarly, in the technology industry, we saw a large number of instances of the terms breach and cloud. One example was Adobe, who had somewhere around 200 instances of the word “cloud” in their disclosures, however they have two products, Adobe Marketing Cloud and Adobe Creative Cloud, which were heavily discussed, and accounted for about 95% of the instances, so we were forced to read through almost the entire document. The fewest disclosures came from the aerospace and defence industry, which was not really surprising, considering it is easily the industry where security in general would be taken most seriously. It is possible that some of the companies we looked at did not disclose very much information at all, in hopes of deterring potential harm from cyber incidents down the road. As mentioned above, some companies view cyber disclosures as a potentially risky disclosure, which may give potential attackers a sort of “roadmap” to breaching their system.
- #19 An analysis was also conducted on the NIST RFIs to identify common opinions on the NIST framework expressed among executives and professionals from various industries. The organization has released several requests for information (RFIs) using detailed questionnaires in regards to the use of the framework since beginning to develop the framework. NIST has received responses from many government organizations and business including the City of Toronto, Ernst & Young and Boeing, to name a few. Participants had varying recommendations for the next framework, emphasizing the need for international response and issues regarding best practices. The RFI consisted of four main categories and 25 total questions. Knowing that some of the respondents would answer all of the questions laid out in the RFI and some would submit more of a letter or opinion-style response, we wanted to collect data both from a specific question that was posed, which coincided with our research, and the general responses offered by respondents who provided an opinion or letter. We wanted to find out what respondents thought about the current voluntary state of the NIST framework and whether they thought it should become a requirement or standard, as well as what general industry they belonged to. We faced a challenge identifying which side of the argument some of the respondents supported, and did not include those figures in the graphic exhibits. There were times where we were able to verify what the respondents thought through their statements. For example, if we saw that the respondent did not agree with any future changes being made to the framework, then we assumed that the respondent was in support of keeping the framework voluntary, as it is now. Finally, we collected data on whether or not the respondent agreed with NIST transitioning the framework to another party or governing body, which was also a specific questions posed in the RFI. The responses to this mainly came from those who responded to all 25 questions in the RFI. Then explain results.