That tells investors nothing about how a company would handle the growing threat of ransomware attacks
or hackers exploiting vulnerabilities in a third-party supplier,
explains Kevin Gronberg, vice president of policy and government affairs
at SecurityScorecard.
SecurityScorecard
commissioned the report alongside the nonprofit Cyber Threat Alliance,
the National Association of Corporate Directors, software company
Diligent and analytics company IHS Markit.
“We're
not looking for companies to give a road map to the crown jewels, but
we are looking for more granular [details] and more candor in their
annual reports with regard to the cyber risk that they are facing,” says
Gronberg.
The report focuses on concerns with how firms are interpreting SEC guidance.
With
some exceptions in the finance and health industries, most American
companies are not required to report breaches to the government or
customers.
However, the SEC issued guidance in 2018 that publicly traded companies should disclose “material cybersecurity risks and incidents in a timely fashion”
to investors, weighing factors such as financial risk to investors and
the importance of any compromised information. The guidelines say that
companies should report such risks “periodically.”
That's
a far cry from what most publicly traded companies are actually doing,
the report found. In 2020, only 17 percent of Fortune 100 companies
disclosed management-level cyber-related issues to the board or relevant
board committees at a “frequency of at least annually or quarterly,” the report says.
The
report's authors say “current disclosure regulations are adequate,” but
private companies need to provide more detail to meet the SEC guidance.
The report recommends voluntary steps such as regularizing internal
reporting and making that a part of disclosures to the SEC.
Capitol Hill wants to take a more hands-on approach.
House members last week said they
had plans to introduce legislation that would involve mandatory breach
and cybersecurity incident reporting to both the government and
customers, depending on the incident.
Big name cybersecurity players including Microsoft, FireEye and CrowdStrike tell Congress they support the idea of incident reporting legislation.
The
report doesn't weigh in on mandatory disclosures to the government, but
its authors hope the problems it outlines could be helpful in informing
the current debate.
“We have to have a better understanding of what we're talking about when we disclose things,” says Gronberg. “Without
being able to measure something, you can't get better at it. And if the
government is going to require disclosures, disclosures without being
actionable are meaningless."
Other legislation could be waiting in the wings.
A bipartisan group of lawmakers introduced 2019 legislation requiring SEC-registered companies to disclose the level of cybersecurity expertise on their boards. Gronberg
says he spoke with bill co-sponsor Rep. Jim Himes's (D-Conn.) office
about the report and believes there's a chance the bill would be
reintroduced in the coming weeks. Himes's office did not return a
request for comment.
A Biden SEC could also weigh in.
The division of the SEC dedicated to compliance and risk investigations this week named cybersecurity
compliance areas including threat management, incident response, and
third-party vendor management a top priority for 2021. That means that
more guidance on reporting could be forthcoming.
The keys
FireEye identifies 40 new victims of hackers exploiting of Microsoft Exchange.
The
newly disclosed victims include U.S.-based retailers, local
governments, a university and an engineering firm, FireEye researchers said in a statement.
Microsoft and cybersecurity companies announced the hacking campaign earlier this week, attributing it to a group with Chinese ties. The group, Hafnium, targeted infectious-disease researchers, law firms, universities, defense contractors and nongovernmental organizations.
The
Cybersecurity and Infrastructure Security Agency urged all users of the
affected Microsoft software to patch the vulnerability this week and
required federal agencies to disconnect or patch off any devices until
they were secured. It's still unclear if any federal agencies were
compromised.
FireEye began seeing the
problem at Microsof as early as January. In addition to the activity
seen by Microsoft, FireEye says that it has seen new clusters of
activity from unnamed groups.
A government watchdog found that the Defense Department did not enforce cybersecurity requirements for weapons contracts.
Some
contracts that the Government Accountability Office looked at didn’t
have any cybersecurity requirements when they were awarded, Bloomberg
News’s Alyza Sebenius reports.
“Some
contracts we reviewed had no cybersecurity requirements when they were
awarded, with vague requirements added later,” the GAO said, noting in
the report that “DOD and contractor officials told us that contracting
for cybersecurity requirements is a general challenge.”
“Until
they can get detailed requirements into the contracts it’s still going
to be a challenge to ensure that you’re getting robust cybersecurity,”
Bill Russell, a director in the GAO’s contracting and national security
acquisitions team, told Sebenius.
The GAO said in the report that the Pentagon had made some cybersecurity progress since 2018.
The Senate is working on a $30 billion bill to boost the chip industry.
The bill, which is being drafted by Senate Majority Leader Charles E. Schumer (D-N.Y.), comes amid a growing global shortage of the technology, Reuters’s Alexandra Alper reports.
Lawmakers
have rallied for funding for U.S. chip makers as both a means of
increasing production and providing a secure alternative to chips made
by tech-rival China.
Biden last month issued
a 100-day government review into potential vulnerabilities in the U.S.
supply chain for critical items, including chips used by manufacturers
including the automobile industry.
Hill happenings
Members of Congress want regulators to crack down on fertility-tracking apps that share personal information.
Senate
Foreign Relations Committee Chairman Robert Menendez (D-N.J.) and Reps.
Bonnie Watson Coleman (D-N.J.) and Mikie Sherrill (D-N.J.) told
acting Federal Trade Commission chairwoman Rebecca Kelly Slaughter that
the commission should take enforcement action on menstruation-tracking
apps that have had data breaches or have improperly shared personal
data. The letter comes after mounting media reports that popular fertility and menstruation-tracking apps have shared data without getting consent from users.
Cyber insecurity
Hackers compromised at least four major hacking forums.
Hackers
say they were able to get user data from two of the sites, where elite
cyber criminals communicate and offer their services, Krebs on
Security’s Brian Krebs reports.
Internet-messaging
identifiers were leaked online, potentially allowing researchers to tie
accounts on various sites to one another. The timing has users of the
elite hacking forums concerned that foreign intelligence agencies
plundered the data.
“Only intelligence
services or people who know where the servers are located can pull off
things like that,” one user of the Exploit forum said. “Three forums in
one month is just weird. I don’t think those were regular hackers.
Someone is purposefully ruining forums.”
Global cyberspace
Russian hackers used Lithuanian networks to attack coronavirus vaccine developers, the country’s intelligence agency said.
A
Russian hacking group known as Cozy Bear used Lithuanian IT
infrastructure to launch cyberattacks on developers of coronavirus
vaccines abroad, according to the NATO country’s annual threat assessment.
The report also said that it is likely that Russia and other
adversaries have shifted to using cyberattacks as their primary way to
gather intelligence amid the coronavirus pandemic and prevalence of
remote work.
The report also suggested
that foreign adversaries are using ransomware hacking groups to
destabilize their target countries by going after groups that are
working on managing the pandemic. Hackers linked to Russian intelligence
also targeted “high-ranking decision-makers” in the country last year,
according to the report.
Daybook
- Anne Neuberger, the deputy national security adviser for cyber and emerging technology, delivers a keynote address at the annual ICS Security Summit today at 9 a.m.
- Wiktor Staniecki, the deputy head of the security and defense division of the European Union’s foreign policy arm, speaks at an event on American and European cyber policy hosted by The German Marshall Fund of the United States today at 10:30 a.m.
- House Armed Services Committee Chairman Adam Smith (D-Wash.) speaks at an event hosted by the Brookings Institution today at 11 a.m.
- Duke University’s engineering school hosts a seminar on cybersecurity threats amid remote work today at noon.
- Rep.
Jim Langevin (D-R.I.), the chair of the House Armed Services
Committee’s cyber panel; Eric Goldstein, the Cybersecurity and
Infrastructure Security Agency’s executive assistant director for
cybersecurity; and Debra Jordan, the deputy chief of the Federal
Communications Commission’s homeland security bureau, speak at an event hosted by the Center for Strategic and International Studies on March 9 at 11 a.m.
- The Aspen Institute hosts an event on international Internet blackouts on March 9 at noon.
- U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on March 10 at 4:30 p.m.
Chat room
A
viral TikTok on a purported vulnerability in popular grading software
was quickly debunked. University of Michigan professor J. Alex
Halderman:
NBC News's Kevin Collier:
Biden campaign engineering director Matt Hodges:
Secure log off
image copyrightGetty Images
