BreachExchange mailing list archives
NYSE releases a cybersecurity guide for public companies
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 14 Oct 2015 17:57:36 -0500
http://www.marketwatch.com/story/nyse-releases-a-cybersecurity-guide-for-public-companies-2015-10-14?rss=1 The New York Stock Exchange released a 355-page book this week that it calls the “definitive cybersecurity guide for directors and officers” of public companies. “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk,” Tom Farley, president of the exchange ICE, -0.78% wrote in the book’s introduction. “No company, region, or industry is immune, which makes the responsibility to oversee, manage, and mitigate cyber risk a top-down priority in every organization.” There have been 591 data breaches of businesses, financial, educational and medical institutions and government agencies already this year, according to an Oct. 6 tally by the Identity Theft Resource Center. Hacks have proven to scare away customers and bring down profits (Target), make businesses work with pen and paper instead of computers (Sony) and hamper ambitions to take a company public (Avid Life Media, the parent company of Ashley Madison). The book, published in partnership with the Santa Clara, Calif.-based cybersecurity company Palo Alto Networks PANW, -1.68% includes 46 chapters written by more than 35 contributors across security, business and government. It covers such topics as board obligations and action plans, how CEOs can ask better questions, how to protect trade secrets, as well as consumer protection and incident response. *Here are the highlights:* *Is it possible to prevent a breach? * “On the contrary, there is every reason to expect that their number will continue to grow. In fact, we can also expect that the ‘attack surface’ and potential targets will also continue to grow as we constantly increase the connections of various things to the Internet,” says Mark McLaughlin, CEO of Palo Alto Networks, which sells cybersecurity products such as firewalls and other platforms. But companies can — and should — invest in resources that can make it more difficult for an attacker to penetrate systems, thus increasing the cost of breaking in and pushing down the number of successful attacks. That would make the risk more manageable. *If your company does not yet have a chief information security officer, it should probably hire one soon* “Reports suggest that companies that have a dedicated [chief information security officer] detected more security incidents and reported lower average financial losses per incident,” the book says. *Boards should let shareholders know they care about cybersecurity* Four of five investors say they may blacklist stocks of hacked firms, according to a KPMG survey cited in the book. “Boards would be wise to raise their games by disclosing more details of their board oversight efforts and engaging with investors when cyber incidents occur, or they may run the risk of a loss of investor confidence,” the book reads. *To disclose, or not to disclose? That is still the question* If personal customer information has been compromised, should companies go public <http://www.wsj.com/articles/a-contrarian-view-on-data-breaches-1407194237> about a breach if there is no law forcing them to do so? The book says it’s up to the company. “No one-size-fits-all answer exists — it’s almost always a judgment call.” Here’s the decision tree it offers. *How companies should deal with protecting ‘impatient and intolerant’ consumers’ information* In a chapter about protecting consumer data, the writers take issue with the fact that regulators say businesses should protect personal information instead of apply a “buyer beware” approach. “Consumers demand that organizations safeguard their privacy and protect their information from data breaches; however, those same consumers are impatient and intolerant when security measures slow services or degrade usability,” the book reads. It recommends that companies figure out what information they have, keep only what they need to conduct business and develop a plan to protect that data and respond to security incidents if need be. *The five questions CEOs should ask to improve security* What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks? How is our executive leadership informed about the current level and business impact of cyber risks to our company? How does our cybersecurity program apply industry standards and best practices? How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership? How comprehensive is our cyber incident response plan? How often is the plan tested? *You can download the full book here* <https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity-9780996498203-no_marks.pdf>
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- NYSE releases a cybersecurity guide for public companies Inga Goddijn (Oct 15)