Having strong cybersecurity policies is critical for protecting a company's business, as the amount of commerce conducted over networks and the Internet increases each year. Last month the Congressional Research Service released a paper about cybersecurity information sharing and how it can help companies, both large and small, improve their cybersecurity efforts to decrease preventable breaches. The paper, along with other industry research, is recommended reading for leaders of any business that deals with internet-based transactions.
The Financial Impact of Security Breaches
The Center for Strategic and International Studies estimates that cybercrime costs the global economy between $375 and $575 billion per year; this calculation takes into account the hundreds of millions of people having their personally identifiable information (PII) stolen plus the damage companies and the global economy face as a result. The 2014 Ponemon Institute Cost of Cyber Crime Study calculates that the average cost of cybercrime for U.S. companies has increased 9% from 2013 to 2014. Expect these numbers to climb as more PII and business records are stored digitally.
The Benefits of Sharing Cybersecurity Information
Sharing information about new threats, best practices, and the effects of an attack can have the following benefits:
Corporate America Sometimes Reluctant to Share Cybersecurity Information
One reason companies have been reluctant to share information about their security and data breaches is due to worry that doing so will violate privacy and/or antitrust laws. The government is aware of these concerns and "has provided guidance that it will not consider generally accepted cybersecurity information sharing to be anticompetitive behavior." (Congressional Research Service paper, p.4)
Another oft-cited reason for not sharing cybersecurity information is concern about decreasing sales numbers and falling stock prices. Target, victim of a massive 2013 breach, saw its stock prices increase 19% in the three months after the data breach was publicly revealed. Costco, Walmart, and Best Buy, three of Target's biggest competitors, saw their stock prices drop during the same time period.
Avenues for Sharing Cybersecurity Information
The SEC requires publicly traded companies to disclose information that has a "substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available;" however, neither the SEC or court system has mandated when a company must announce that information.
The Information Sharing and Analysis Center (ISACs) program was enacted in 1998 to create private sector, non-profit entities that collect, analyze, and share information on cybersecurity threats and best practices with its members. There are ISAC groups for different industries and they share information anonymously with the government and other members of the ISAC group. Membership is not mandatory, but it can cost money depending on the level of membership the company desires.
Congress has also attempted to pass legislation that would incentivize companies to share information. Three unsuccessful bills were introduced during the 113th Congress that introduced incentives for sharing information that ranged from tax credits to assurances that certain information would not be subject to public disclosure.
Summary and Takeaways