By Hillary O’Rourke, Contributor
The U.S. Securities and Exchange Commission released guidelines last week that aid public companies in deciding when and what should be disclosed to investors regarding even the potential of security breaches.
The initiative by SEC’s Division of Corporation Finance intends for companies to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the guidelines.
In the statement, the SEC explains that it would like to see a discussion of possible security risks and what the consequences of those risks entail, how the company plans to counteract possible attacks, descriptions of previous attacks, what would happen if an attack went undetected for a period of time and insurance details.
To determine whether they must disclose information, a company should “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”
“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur,” said the guidelines. Instead, the company should discuss the possibility of the attack occurring again and the previous as well as potential consequences that the company could experience.
According to the release, it is not intended to be a rule or a regulation and it’s “neither approved nor disapproved” by the Commission. It’s simply a “roadmap” for those who seek guidance in security efforts in a time of an augmented number of cyber incidents.
From the SEC risk factor disclosures should include:
Sony Pictures Digital Inc., the subsidiary of Sony that runs its movie and music business, confirmed that a hacking group has breached its website, exposing user account credentials.
In a statement issued June 3, Sony Pictures said it took action to protect against further intrusion of its systems. The company said it was targeted by a hacker group known as “LulzSec,” which claimed responsibility for attacks on PBS and Nintendo.
“A respected team of outside experts is conducting a forensic analysis of the attack,” Sony said in a statement. In addition, we have contacted the U.S. Federal Bureau of Investigation and are working with them to assist in the identification and apprehension of those responsible for this crime.”
The attackers are believed to have used a SQL injection attack to breach the website. The Lulz Security hacking group has been actively boasting about its high profile website attacks. The organization posted more than 100,000 account credentials of users of the Sony Pictures website. The hackers said they took the data from the Sony Pictures and Sony BMG websites. In addition to account credentials, the information made public includes addresses and phone numbers.
The group claimed responsibility for the latest attack against Nintendo’s U.S. servers, posting details of the attack on Twitter. The group said it had obtained an internal configuration file for one of Nintendo’s U.S. servers. It also hacked and defaced the website of InfraGard, an Atlanta-based organization that shares FBI cybercrime data with the private sector. The group posted more than 100 account credentials that it had stolen in that attack.
Sony and its subsidiaries have been investigating as many as a dozen breaches on its systems after a massive breach exposed information on more than 100 million users of its PlayStation and Entertainment Group networks. The company has apologized to victims, bolstered system security and is hiring a CISO to manage its security initiatives.]]>
Sony’s PlayStation Network was taken down April 20 while a forensics team investigated the scope of the Sony breach. By May 2 the breach affected an estimated 100 million people and spread to its Online Entertainment division.
The firm has implemented additional security measures, but on May 18, the firm discovered a vulnerability in its password reset application causing another short outage.
Sony’s high-profile data breach is one of a slew of breaches that marked the beginning of 2011. Each one casts light on security weaknesses – configuration issues, vulnerabilities and social engineering threats – that combine to give a roadmap to cybercriminals attempting to gain access to systems.
Last month, Mandiant Corp. CSO Richard Bejtlich told my colleague Eric Parizo that it’s time for new innovative approaches to defend against attacks. Bejtlich advocates counter-threat operations for larger organizations that can afford it. Those organizations can go on the offensive to “actively hunt for intruders in their enterprise.”
Others are calling for a renewal of the basics:
Taking these steps won’t stop a determined attacker, but they may stall a cybercriminal long enough for alert systems to flag an anomaly and a response team to isolate and ultimately reduce the extent of a data breach before it spirals out of control.]]>
Citigroup says a report that a Russian cyber gang broke into its computer systems and stole millions of dollars is false.
On Tuesday, the Wall Street Journal reported that the FBI was investigating a breach at Citigroup’s Citibank subsidiary. The reported attack was linked to the Russian Business Network cyber gang.
But in a statement emailed to SearchFinancialSecurity.com, the company said the alleged breach and associated losses are false.
“Denial of service attacks are directed against companies around the world. While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi,” the company said.
“We had no breach of the system and there were no losses, no customer losses, no bank losses,” Joe Petro, managing director of Citigroup’s Security and Investigative services, said in the statement. “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”
The company added that an incident mentioned in the WSJ report involving a Citibank customer who said his online bank account was breached was an “isolated incident of fraud.”]]>
Retailers have been struggling over the last year or so following a precipitous economic decline, layoffs and most Americans holding on to their wallets, buying items that are needed rather than wanted. But the Framingham, Mass.-based retailer has bucked the trend. It’s at the top of a short list of retailers reporting strong results – very strong results, reports the Boston Globe’s Steven Syre in a column today.
Syre’s column points out that TJX has had six – yes six – straight months that same-store sales were above results for the same period in the previous year.
That performance has created a boom in TJX shares this year. After a steep decline during the last five months of 2008, the company’s stock has soared 73% so far in 2009. Yesterday shares gained 92 cents to close at $35.75. The stock stands just $1.25 below its all-time high. … For now, TJX is the best story retailing has to sell.
The massive data breach in January, 2007 that exposed at least 45.7 million credit and debit card numbers to possible fraud is a distant memory. Other breaches, most notably the massive breach at Heartland Payment Systems, have removed TJX as the data breach poster child.
What does TJX have to show for its breach; it’s incredibly weak WiFi and its inability to detect an intrusion for months? Lawsuit settlements. Those settlements were likely paid out and buffered by their insurance policies. The latest settlement: $525,000 to settle a lawsuit by several financial institutions – AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank – is a drop in the bucket.
All the lawsuits appear to be getting settled out of court. And that usually benefits one side – the defendant. There was $9.75 million to settle a lawsuit brought on by attorneys generals from 41 states. Up to $40.9 million to cover costs related to the breach for Visa card issuers. How much was actually paid so far? We don’t know.
All in all, looking at one of the most massive breaches in history, it’s difficult to say that companies should spend millions on new technology to defend their data. Defense in depth? Yes. Security fundamentals? Yes. Millions on the latest and greatest security technology? That’s a hard sell.]]>