February 23, 2010 – “Intel Says It Was Target of Cyber Attack,” read the headline from the Wall Street Journal. “Intel said it was hit by a ‘sophisticated’ cyberattack in January, around the same time Google Inc. says it was attacked by Chinese hackers, but it wasn’t clear whether the incidents were related. The chip giant made the disclosure in its annual report with securities regulators.”
As best I can tell, Intel was the first public company to disclose a potential material or significant cyber related incident in its annual filing with the Securities and Exchange Commission. It is important to note that the news reports indicated that more than 30 other companies were also affected by the attack.
So, why is it that Intel disclosed this in its financial filings with the SEC? Why is it that none of the dozens of other public companies affected by a similar attack at the time disclosed anything to their shareholders? And why is it that it is now more than 13 years later the SEC is once again updating its guidelines on reporting Cyber related incidents and risks?
The plain truth is that – many CISOs don’t understand materiality. In addition, many organizations have chosen to use a risk lens that downplays the actual risk of an incident, as well as the future cybersecurity-related risks to their shareholders, their customers, and to society.
Hopefully, that is about to change:
- In remarks last year, Gary Gensler, Chair of the Securities and Exchange Commission (SEC), made clear that the SEC “has a role to play” in regulating cybersecurity in the name of “maintaining orderly markets.” Shortly after those remarks, the SEC proposed a set of sweeping new rules governing the cybersecurity obligations of public companies and registered investment advisers and funds. In April, those rules are expected to be finalized.
- On March 2, 2023, the US National Cybersecurity Strategy was released by the White House.
The National Cyber Strategy has five pillars. “Pillar 3: Shape Market Forces to Drive Security and
Resilience.” seeks to hold software firms liable for insecurity. “Markets have imposed
‘inadequate costs’ on companies that build vulnerable technology,” the document says.