Home » Data Protection » PCI and Compliance

Opinion

Cyberattacks a Sarbanes-Oxley Issue?

Kevin Coleman of Technolytics Institute says cyberattack concerns are starting to appear in SEC filings.

April 10, 2008 —

There's been a lot of attention paid recently to the threat cyber attacks pose to business, society and government. And no wonder, with U.S. Air Force advertisements claiming the Pentagon is attacked three million times a day; the Computer Security Institute announcing that 10,000 distributed DoS attacks occur around the world daily; or the estimate that as many as 80 million machines may have been compromised by the STORM software worm. Security and business professionals alike are increasingly concerned, and even Department of Homeland Security Chief Michael Chertoff says that the department has been increasing its anti-hacking efforts. U.S. companies have been primary targets for cyber-attacks, and the frequency and sophistication of these attacks are increasing.

Given the regularity of cyber attacks, they have now entered into the category of a foreseeable risk, which in legal terms is defined as a danger that a reasonable person should anticipate as the result of his or her actions or inaction. In other words, a person or company that doesn't respond to a foreseeable risk could be found negligent if they depart from the conduct expected of a reasonably prudent person acting under similar circumstances.

All that said, business would be well advised to examine the threat of cyber attacks and update their business continuity/disaster recovery plans. But that's not what I see happening. It's true that businesses are changing their approach to cyber-attacks, utilizing both traditional means, such as increased risk assessment and training, and nontraditional means, like hiring hackers to probe corporate security, as well as looking to the federal government for guidance.

However, in a recent presentation I gave to approximately 100 professionals representing nearly 70 businesses in New York, an informal poll of the audience showed that no one has considered a cyber attack in their contingency plans. On further polling, I found that only 4% had even heard about the cyber attack that last summer disrupted Estonia's infrastructure and banking operations, to the point that the country had to shut down key computer systems.

Given a document I stumbled across in January, cyber attacks may have also become a Sarbanes-Oxley issue. A 10Q filed by Respironics, Inc., a medical devices manufacturer in Murrysville, Pa., recently acquired by Royal Philips Electronics, came up on a Google search for "cyber attack." On page 15, the term "cyber-attack" is identified as a factor that could cause the company's actual financial results to differ materially from the expected results included in the forward-looking statements.