Having strong cybersecurity policies is critical for protecting a company's business, as the amount of commerce conducted over networks and the Internet increases each year. Last month the Congressional Research Service released a paper about cybersecurity information sharing and how it can help companies, both large and small, improve their cybersecurity efforts to decrease preventable breaches. The paper, along with other industry research, is recommended reading for leaders of any business that deals with internet-based transactions.

The Financial Impact of Security Breaches

The Center for Strategic and International Studies estimates that cybercrime costs the global economy between $375 and $575 billion per year; this calculation takes into account the hundreds of millions of people having their personally identifiable information (PII) stolen plus the damage companies and the global economy face as a result. The 2014 Ponemon Institute Cost of Cyber Crime Study calculates that the average cost of cybercrime for U.S. companies has increased 9% from 2013 to 2014. Expect these numbers to climb as more PII and business records are stored digitally.

The Benefits of Sharing Cybersecurity Information

Sharing information about new threats, best practices, and the effects of an attack can have the following benefits:

• Businesses, particularly small businesses, can prepare for and protect themselves from attacks and breaches.
• Can have a positive impact on a company's reputation in the industry – being seen as a team player and as a good corporate citizen will encourage other companies to follow suit.
• Helps prevent duplication of work, meaning that the money saved on security development could be diverted to different security measures or other company needs.
• "[i]s arguably integral to national security and economic growth, and people may choose to share information even when it goes against the balance of their near-term economic incentive to foster a more secure nation and a more productive economy." (Congressional Research Service paper, p. 7)

Corporate America Sometimes Reluctant to Share Cybersecurity Information

One reason companies have been reluctant to share information about their security and data breaches is due to worry that doing so will violate privacy and/or antitrust laws. The government is aware of these concerns and "has provided guidance that it will not consider generally accepted cybersecurity information sharing to be anticompetitive behavior." (Congressional Research Service paper, p.4)

Another oft-cited reason for not sharing cybersecurity information is concern about decreasing sales numbers and falling stock prices. Target, victim of a massive 2013 breach, saw its stock prices increase 19% in the three months after the data breach was publicly revealed. Costco, Walmart, and Best Buy, three of Target's biggest competitors, saw their stock prices drop during the same time period.

Avenues for Sharing Cybersecurity Information

The SEC requires publicly traded companies to disclose information that has a "substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available;" however, neither the SEC or court system has mandated when a company must announce that information.

The Information Sharing and Analysis Center (ISACs) program was enacted in 1998 to create private sector, non-profit entities that collect, analyze, and share information on cybersecurity threats and best practices with its members. There are ISAC groups for different industries and they share information anonymously with the government and other members of the ISAC group. Membership is not mandatory, but it can cost money depending on the level of membership the company desires.

Congress has also attempted to pass legislation that would incentivize companies to share information. Three unsuccessful bills were introduced during the 113th Congress that introduced incentives for sharing information that ranged from tax credits to assurances that certain information would not be subject to public disclosure.

Summary and Takeaways

• Cybercrime is increasing each year and costs the global economy hundreds of billions of dollars every year.
• Sharing cybersecurity information has benefits ranging from preventing future attacks, decreased expenses, and fostering a positive reputation in the industry.
• Some of the fears of sharing cybersecurity information may be unfounded.
• ISACs provide an avenue for sharing information anonymously with the government and other companies in the same industry.