Cyberattacks a Sarbanes-Oxley Issue?

Kevin Coleman of Technolytics Institute says cyberattack concerns are starting to appear in SEC filings.

There's been a lot of attention paid recently to the threat cyber attacks pose to business, society and government.  And no wonder, with U.S. Air Force advertisements claiming the Pentagon is attacked three million times a day; the Computer Security Institute announcing that  10,000 distributed DoS attacks occur around the world daily; or the estimate that as many as 80 million machines may have been compromised by the STORM software worm. Security and business professionals alike are increasingly concerned, and even Department of Homeland Security Chief Michael Chertoff says that the department has been increasing its anti-hacking efforts.  U.S. companies have been primary targets for cyber-attacks, and the frequency and sophistication of these attacks are increasing.

Given the regularity of cyber attacks, they have now entered into the category of a foreseeable risk, which in legal terms is defined as a danger that a reasonable person should anticipate as the result of his or her actions or inaction.  In other words, a person or company that doesn't respond to a foreseeable risk could be found negligent  if they depart from the conduct expected of a reasonably prudent person acting under similar circumstances.

All that said, business would be well advised to examine the threat of cyber attacks and update their business continuity/disaster recovery plans. But that's not what I see happening. It's true that businesses are changing their approach to cyber-attacks, utilizing both traditional means, such as increased risk assessment and training, and nontraditional means, like hiring hackers to probe corporate security, as well as looking to the federal government for guidance.

However, in a recent presentation I gave to approximately 100 professionals representing nearly 70 businesses in New York, an informal poll of the audience showed that no one has considered a cyber attack in their contingency plans.  On further polling, I found that only 4% had even heard about the cyber attack that last summer disrupted Estonia's infrastructure and banking operations, to the point that the country had to shut down key computer systems.

Given a document I stumbled across in January, cyber attacks may have also become a Sarbanes-Oxley issue.  A 10Q filed by Respironics, Inc., a medical devices manufacturer in Murrysville, Pa., recently acquired by Royal Philips Electronics, came up on a Google search for "cyber attack." On page 15, the term "cyber-attack" is identified as a factor that could cause the company's actual financial results to differ materially from the expected results included in the forward-looking statements.

Historically we have only seen a few high-tech companies identify cyber-attack as a risk. Given that Respironics' business is not related to information technology or the Internet, it clearly indicates the growing business concerns surrounding the threat of cyber attacks.

All this said, given the media attention to this emerging threat, it would be difficult to defend against claims of negligence if a business experienced a cyber attack that had significant financial implications. Corporate governance today requires effective internal controls, and it depends on the integrity of information within the organization, as well as the identification and management of risks that could potentially impact financial performance.  Today more than ever, an organization's reputation, brand image and financial results all depend on the integrity and availability of its computer systems.

It's up to business and security executives to answer the question, How would our company operate without the Internet for one hour, one day or one week? The response of one corporate executive I talked to who asked not to be identified was pretty frank: "I don't want to even think about the disruption and financial implication of the Internet going away for a day." What about you? ##

Kevin G. Coleman is a fifteen year veteran of the computer industry. A Kellogg School of Management Executive Scholar, he was the former Chief strategist of Netscape. Now he is a Senior Fellow and International Strategic Management Consultant with the Technolytics Institute an executive think-tank. For six years he served on the Science and Technology advisory board for the Johns Hopkins University - Applied Physics Lab, one of the leading research institutions in the United States and served for four years on the University of Pittsburgh Medical Centers Limbaugh Entrepreneurial Centers Advisory Board. He has published over sixty articles covering security and defense related matters including UnRestricted Warfare and Cyber Warfare & Weapons. In addition he has testified before the U.S. Congress on Cyber Security and is a regular speaker at security industry events and the Global Intelligence Summit.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies