Cyber breach notification rules will help end stigma associated with disclosing attacks, says Corero boss

Out-Law News | 12 Sep 2013 | 2:17 pm | 3 min. read

The stigma associated with owning up to having being the victim of a cyber attack will diminish as a result of new rules requiring companies to formally disclose breaches, according to a network security expert.

Ashley Stephenson, chief executive of Corero Network Security, said that some of the world's biggest companies, including those operating in the banking industry, were in 2012 identifying suspicious and malicious cyber incidents several times a week. This compares to them finding just one or two examples of such incidents every quarter in 2011, he said. He said he expects 2013 will see a further rise in the number of incidents spotted. 

Stephenson said, though, that the vast majority of cyber security incidents go un-reported and that, as a result, businesses that do disclose the fact they have experienced a data breach or other form of cyber attack have to face up to the stigma associated with that disclosure. 

"Companies that do the right thing and disclose breaches put themselves at a competitive disadvantage," Stephenson told Out-Law.com. 

Companies that do disclose that they have been victim to attacks are reliant on customers looking "rationally" at their case, he said. Business can look "weaker than competitors" and suffer damage to their brands and reputation where they choose to report cyber incidents and rivals do not, he added. 

Because there is no existing regulatory requirement, or best practice pressure, to disclose cyber security incidents, businesses also lack incentives to conduct in-depth investigations into those attacks, Stephenson said. He said many companies appear to view losses stemming from cyber breaches as natural "shrinkage" and a "cause of doing business online". 

"As they see the cost, liability, and business impact rise then are motivated to react," he said. 

However, he said that European Commission plans to require more EU businesses to disclose details about cyber attacks will help "expose more of the iceberg" of breaches currently hidden from public knowledge and provide "safety in numbers" for those disclosing such attacks. He said that the Commission's plans can also help drive efforts into combating the problem of cyber attacks, by encouraging "the good guys" to collaborate and put in place "defence-in-depth strategies", for example. 

Under the Commission's draft Network and Information Security (NIS) Directive, banks, energy companies, e-commerce and cloud platforms, and other businesses involved in the operation of critical infrastructure would be required to maintain sufficiently secure systems and report to designated national regulators "significant" cyber security incidents that they xperience. Regulators would then be able to share with one another details of the attacks and would determine on a case-by-case basis whether the public should be told about the incidents companies experienced. 

Stephenson said the plans were "a step in the right direction". He said that whilst companies may be compiling forensic reports and sharing evidence with the police in order to obtain redress against perpetrators of cyber crime, the reaction to and the combating of cyber crime was, in general, currently individualistic and disjointed. Businesses would stand to benefit if more details about cyber incidents were made public as this could help businesses identify threats and coordinate more on how best to address cyber risks, Stephenson added. 

"If any one of those new-age technology companies [that would be subject to the new NIS Directive, if introduced] has its systems compromised at the moment they would be on their own in terms of disclosing what happened," Stephenson said. 

The Commission's NIS Directive proposals represent an "updating of the list of companies" now operating important networks and infrastructure, from the traditional view that this role was performed solely by telecoms businesses, he said. Telecoms businesses already have certain obligations, under existing EU laws, in relation to reporting personal data breaches they experience to regulators and the public. 

Although it is not possible to "legislate crimes away", he said that new cyber breach disclosure regulations and rules, and the creation of "national regulatory clearinghouses" could help promote best practice reporting of cyber incidents and in turn reduce the stigma associated with that reporting. 

Stephenson said that guidance issued by the US' Securities and Exchange Commission (SEC) in 2011 on reporting cyber security risks and incidents had helped to drive boardroom interest and investment in their companies' systems security. Other factors driving interest were the attacks themselves and media coverage of them. 

The SEC guidance explains that whilst there is not a formal requirement on businesses to report cyber security risks and incidents, companies can meet other disclosure rules by reporting such incidents. 

The SEC said its guidance was driven by the desire to ensure prospective investors were sufficiently informed about the risks to their investment prior to making investment decisions. Stephenson said it had helped promote the concept that it is best practice to disclose cyber incidents and that, subsequently, more US businesses had been promoted to deploy cyber security technology to monitor for suspicious or malicious cyber incidents. 

"The SEC guidance and other government advisories are definitely helping to get corporations to pay attention and act," he said.