NYSE releases a cybersecurity guide for public companies

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.marketwatch.com/story/nyse-releases-a-cybersecurity-guide-for-public-companies-2015-10-14?rss=1

The New York Stock Exchange released a 355-page book this week that it
calls the “definitive cybersecurity guide for directors and officers” of
public companies.

“No issue today has created more concern within corporate C-suites and
boardrooms than cybersecurity risk,” Tom Farley, president of the exchange ICE,
-0.78% wrote in the book’s introduction. “No company, region, or industry
is immune, which makes the responsibility to oversee, manage, and mitigate
cyber risk a top-down priority in every organization.”

There have been 591 data breaches of businesses, financial, educational and
medical institutions and government agencies already this year, according
to an Oct. 6 tally by the Identity Theft Resource Center. Hacks have proven
to scare away customers and bring down profits (Target), make businesses
work with pen and paper instead of computers (Sony) and hamper ambitions to
take a company public (Avid Life Media, the parent company of Ashley
Madison).

The book, published in partnership with the Santa Clara, Calif.-based
cybersecurity company Palo Alto Networks PANW, -1.68% includes 46 chapters
written by more than 35 contributors across security, business and
government. It covers such topics as board obligations and action plans,
how CEOs can ask better questions, how to protect trade secrets, as well as
consumer protection and incident response.

*Here are the highlights:*

*Is it possible to prevent a breach? *

“On the contrary, there is every reason to expect that their number will
continue to grow. In fact, we can also expect that the ‘attack surface’ and
potential targets will also continue to grow as we constantly increase the
connections of various things to the Internet,” says Mark McLaughlin, CEO
of Palo Alto Networks, which sells cybersecurity products such as firewalls
and other platforms.

But companies can — and should — invest in resources that can make it more
difficult for an attacker to penetrate systems, thus increasing the cost of
breaking in and pushing down the number of successful attacks. That would
make the risk more manageable.

*If your company does not yet have a chief information security officer, it
should probably hire one soon*

“Reports suggest that companies that have a dedicated [chief information
security officer] detected more security incidents and reported lower
average financial losses per incident,” the book says.

*Boards should let shareholders know they care about cybersecurity*

Four of five investors say they may blacklist stocks of hacked firms,
according to a KPMG survey cited in the book. “Boards would be wise to
raise their games by disclosing more details of their board oversight
efforts and engaging with investors when cyber incidents occur, or they may
run the risk of a loss of investor confidence,” the book reads.

*To disclose, or not to disclose? That is still the question*

If personal customer information has been compromised, should companies go
public
<http://www.wsj.com/articles/a-contrarian-view-on-data-breaches-1407194237>
about a breach if there is no law forcing them to do so? The book says it’s
up to the company. “No one-size-fits-all answer exists — it’s almost always
a judgment call.” Here’s the decision tree it offers.

*How companies should deal with protecting ‘impatient and intolerant’
consumers’ information*

In a chapter about protecting consumer data, the writers take issue with
the fact that regulators say businesses should protect personal information
instead of apply a “buyer beware” approach.

“Consumers demand that organizations safeguard their privacy and protect
their information from data breaches; however, those same consumers are
impatient and intolerant when security measures slow services or degrade
usability,” the book reads.

It recommends that companies figure out what information they have, keep
only what they need to conduct business and develop a plan to protect that
data and respond to security incidents if need be.

*The five questions CEOs should ask to improve security*

What is the current level and business impact of cyber risks to our
company? What is our plan to address identified risks?

How is our executive leadership informed about the current level and
business impact of cyber risks to our company?

How does our cybersecurity program apply industry standards and best
practices?

How many and what types of cyber incidents do we detect in a normal week?
What is the threshold for notifying our executive leadership?

How comprehensive is our cyber incident response plan? How often is the
plan tested?

*You can download the full book here*
<https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity-9780996498203-no_marks.pdf>

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!