Skip to Main Content

Speech


 
 

A Threefold Cord[1] — Working Together to Meet the Pervasive Challenge of Cyber-Crime

Commissioner Luis A. Aguilar

United States Securities and Exchange Commission

SINET Innovation Summit
New York, New York

June 25, 2015

Good morning. Thank you for that kind introduction. It is my honor to deliver the opening remarks for today’s Innovation Summit. I am glad to be at an event that brings together the public and private sectors to combat one of the growing threats to our economy and to our personal financial security. I want to thank Robert Rodriguez for his invitation to speak today — and to recognize his long service to our nation and his commitment to cybersecurity.[2] I commend him for the important work he is doing.

Before I continue with my remarks, however, let me issue the standard disclaimer that the views I express today are my own, and do not necessarily reflect the views of the SEC, my fellow Commissioners, or members of the staff.

Cybersecurity is an issue of profound importance in today’s technology-driven world. What was once a problem only for IT professionals is now a fact of life for all of us. I say “us” because, as you may know, hackers breached a government database a few weeks ago and stole the personal information of roughly four million government employees, which may well include me.[3] There’s hardly a day that goes by that we don’t hear of some new cyberattack. These incidents are clear illustrations of how the internet has become an integral part of our professional and personal lives. And while the benefits have been enormous, so, too, have the risks.

In fact, there is almost no aspect of our lives that cybersecurity does not touch. Each day, cyber-criminals try to invade our privacy,[4] steal our savings,[5] pilfer our business secrets,[6] and jeopardize our national security.[7] Cyber-criminals can even cost us our livelihood. One study has estimated that cybercrime and cyber-espionage may lead to the loss of as many as 508,000 jobs in America each year.[8] And, in a more ominous turn, cyber-criminals may have an increasing ability to threaten our physical safety. Recent reports have highlighted how the Internet of Things[9] is creating new opportunities for cyber-criminals to attack the devices we rely on every day, including medical equipment, cars, and home security systems.[10]

In light of all this, it is not an overstatement to say that cybersecurity is one of the defining issues of our time. This is the very reason I have worked so hard in recent years to bring greater attention to this topic. Last year, I persuaded the Commission to convene a roundtable to discuss the risks that cyber-attacks pose to the companies we regulate, such as broker-dealers and investment advisers, as well as to public companies and the integrity of our markets.[11] Also last year, I called upon the boards of directors of our nation’s public companies to play a far greater role in their companies’ cybersecurity efforts.[12] I have also urged the Commission to sharpen its own focus on the cybersecurity threat, including by forming an internal working group to bring the agency’s combined expertise to bear on this critical area.[13]

These efforts were important first steps toward a more agile and robust response to cyber-crime. But, much more needs to be done. Cyber-attacks are becoming more pervasive, dynamic, and clandestine with each passing year. We must remain focused on cybersecurity if we are to keep pace with this constantly evolving threat. In addition, all stakeholders must work together.[14] No single organization has the resources or the expertise to combat the advanced and persistent cyberattacks that are being launched today.[15] A vibrant partnership between the public and private sectors is therefore essential to an effective defense.

Today, I would like to talk about the various ways in which the SEC has been addressing this threat, and some areas where additional work — and additional collaboration — would be beneficial.

Anni Horribiles — Past and Present

Last year, like in recent years, we witnessed a number of massive data breaches at public companies and financial institutions. One of the largest known breaches, which was experienced by eBay, affected 145 million customers, while breaches at JP Morgan and Home Depot affected 82 million and 56 million customers, respectively.[16] And it will come as no surprise to those in this room that this year is predicted to be just as bad, if not worse.[17] Many of these attacks were focused on stealing personal information. The reason for this is all too obvious: the market for stolen credit cards and other personal data, such as medical information, is massive. In fact, the market for stolen credit cards, which is estimated to be $114 billion, exceeds the estimated global market for cocaine by roughly $29 billion.[18] Cyber-criminals thus have a compelling incentive to continue their efforts in the future.

A review of the cybersecurity landscape over the past few years reveals some very interesting — and troubling — trends. For example:

  • Cyber-attackers are exploiting vulnerabilities more quickly, but our defenses are increasingly sluggish. One report observed that, on average, it took 55% longer in 2014 to issue patches for so-called zero-day vulnerabilities,[19] like the Heartbleed defect,[20] than in 2013.[21] As a result, attackers last year were able to exploit the top five zero-day vulnerabilities for a combined 295 days before patches became available, a more than 1,400% increase over the prior year.[22] Furthermore, nearly 90% of last year’s successful cyber-attacks exploited known vulnerabilities that are more than a decade old.[23] It would seem that organizations are not installing the patches that are available as promptly as they should.
  • Another disconcerting trend is that cyber-criminals are now collaborating to a far greater degree, and are reinvesting their proceeds into their illicit operations.[24] The result has been a marked increase in the quality, quantity, and complexity of attacks.[25] Last year, for example, cyber-criminals devised a new form of distributed denial of service attack that is capable of generating traffic at a staggering 400 gigabytes per second.[26] This means that distributed denial of service attacks are now 50 times as large as they were just a decade ago.[27] And, more than 317 million new pieces of malware were created last year alone, meaning that nearly one million new threats were released each day.[28]
  • In addition, cyber-attackers are now leapfrogging defenses in ways that many companies lack the foresight to anticipate.[29] The result is that network security is now estimated to be effective only 24% of the time.[30] There appear to be several reasons for this, but studies have noted that savvy cyber-attackers are using new and innovative techniques to evade detection, including hiding malicious code inside software vendors’ updates,[31] designing malware that relies on tools users trust,[32] and even hijacking companies’ own servers to build attack software.[33]
  • Finally, the advent of the so-called “dark web” has allowed amateur cyber-criminals to anonymously purchase do-it-yourself malware kits.[34] Earlier this year, a new website was launched that was specifically aimed at selling malware designed to exploit zero-day vulnerabilities.[35] According to the head of Europol’s cybercrime division, wannabe hackers purchasing malware off the internet are becoming one of the biggest threats to businesses.[36]

Some statistics will help to further underscore the scope and urgency of the cybersecurity threat. One study found that the number of known cybersecurity incidents rose by 48% last year,[37] and while many incidents were the result of employee negligence, it is believed that attackers were responsible for the majority of these incidents.[38] Equally troubling is that the average total cost of a data breach has risen by 23% over the last two years.[39] Last year also saw a 20% rise in the number of websites with critical vulnerabilities,[40] a record high number of zero-day vulnerabilities,[41] and a 4,000% increase in crypto-ransomware attacks.[42] Notably, even law enforcement agencies have fallen victim to crypto-ransomware.[43] And, in a development that highlights the increasingly vulnerable nature of mobile devices, one study last year found that 17% of all apps for Android devices were nothing more than malware in disguise.[44]

The Commission’s Response

These statistics emphasize that cybercrime is a serious and persistent threat. This is especially true for the financial industry, which has traditionally been the primary target for cyber-criminals.[45] In fact, in testimony provided during a June 16 Congressional hearing, it was revealed that one major U.S. bank was recently subjected to 30,000 cyberattacks in a single week, which amounts to a new attack every 34 seconds.[46]

So what has the SEC been doing to help protect investors and our markets? To address the growing cybersecurity threat, the Commission is using a multi-faceted approach that brings to bear all the tools at its disposal. This includes implementing new rules, inspecting and examining regulated entities, bringing enforcement actions, and working to educate both the industry and the public by issuing guidance on cybersecurity matters.

Let me add some specifics by highlighting some of the SEC’s efforts in each of these areas.

Regulation Systems Compliance and Integrity

I’ll start with our rulemaking efforts. In fact, the Commission has had rules addressing cybersecurity for many years. Maintaining the integrity of the technology systems that drive our capital markets has been a concern for the SEC for some time. But to ensure that the Commission’s regulatory framework keeps pace with the sweeping technological changes that securities markets have witnessed in recent years, the SEC finalized a new rule last November, called Regulation Systems Compliance and Integrity, or Reg SCI.[47] Firms will need to begin complying with this rule in November of this year. Reg SCI will require certain key market participants, such as stock exchanges, to implement a robust set of cybersecurity protocols to ensure that their systems are secure from cyberattacks, and are also sufficiently resilient to recover should an attack succeed.[48] In addition, Reg SCI will require that these entities monitor their systems for possible cyberattacks, respond promptly to any significant intrusions, and report such intrusions to the SEC within 24 hours, among other things.[49]

I would like to point out a few of the more noteworthy aspects of Reg SCI, because I believe they can serve as a model for how regulators may want to approach cybersecurity issues. First, this rule employs a risk-based approach, so that the most critical systems are held to a higher standard.[50] This ensures that organizations focus their limited resources[51] where they will do the most good. Second, the rule avoids an overly prescriptive approach. Instead, entities must develop procedures that are tailored to their unique risks.[52] This is essential, as it avoids a check-the-box approach to cybersecurity, in which entities do only what is necessary to meet the minimum regulatory requirements, but still leave themselves vulnerable to attack.[53] Finally, the rule mandates that an entity’s senior management and board of directors be actively engaged in cybersecurity issues. This is consistent with my earlier calls for greater board involvement in cybersecurity issues. It also recognizes the simple truth that board involvement ensures greater accountability, and, as one study has shown, makes breaches less likely, and can even reduce the cost of breaches when they occur.[54]

Unfortunately, Reg SCI doesn’t apply to many important segments of the capital markets. For example, it doesn’t apply to over-the-counter market-makers, stockbrokers, or transfer agents. Obviously, more work is needed to ensure that the Commission’s cybersecurity rules address all key areas of the market we regulate.

Cybersecurity Inspections and Examinations

Turning to the topic of inspections and examinations, the SEC has recently conducted examinations of several of the entities we oversee to assess their cybersecurity methods. For example, last year, the SEC’s Office of Compliance Inspections and Examinations, or OCIE, examined 57 broker-dealers and 49 investment advisers to better understand their cybersecurity protocols.[55] The SEC published the results of this sweep earlier this year, and it is noteworthy that the sweep found that most firms had been the targets of a cyberattack, either directly or through a vendor.[56]

The sweep also revealed areas that needed improvement. For instance, the sweep determined that, while the vast majority of the firms had adopted written policies regarding information security and cyberattacks,[57] these policies generally failed to specify how firms would determine responsibility for client losses stemming from a cyberattack.[58] Similarly, while the sweep found that most firms conduct periodic risk assessments of their own systems, fewer firms conducted similar assessments of their vendors’ systems.[59] This leaves these firms exposed to a commonly exploited vulnerability.[60] Finally, the sweep noted that only two-thirds of broker-dealers and only one-third of advisers have elected to designate a chief information security officer, and that cybersecurity insurance is carried by just over half of broker-dealers, and by less than a quarter of advisers.[61] Designating an information security officer and carrying cyber-insurance are both commonsense precautions that have been shown to decrease the costs associated with data breaches, and it’s disappointing so many firms fall short in these important areas.[62]

Enforcement Actions

Let’s turn now to the topic of enforcement.[63] It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years,[64] and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches.[65] Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.[66]

The Commission’s cybersecurity enforcement efforts have included situations where stock brokers and investment advisers failed to protect their customers’ confidential information. For example, the SEC brought a lawsuit in 2011 against the senior officers of one brokerage firm that failed to take remedial steps after the firm suffered several serious breaches.[67] The successful prosecution of these incidents sends a strong message that the SEC takes cybersecurity issues very seriously — and that the industry must do so, as well.

The constantly shifting cybersecurity landscape is a particular challenge for the SEC’s Division of Enforcement, because it is often the tip of the spear in dealing with new and emerging threats. New types of attack are constantly popping up. For example, one novel scheme that was recently brought to the Commission’s attention involves a group of cybercriminals that attempts to steal confidential business information that could be used for illegal insider trading.[68] These cybercriminals, dubbed the “FIN 4” group, have attacked over 100 companies using spear-phishing campaigns designed to obtain confidential information about merger negotiations and other market-moving events, such as pending approvals by the Food and Drug Administration.[69] FIN 4 sends tainted emails to corporate executives, researchers, and attorneys, who are likely to possess sensitive business information.[70] FIN 4’s exploits serve as a reminder of the ingenuity of cybercriminals, and of the importance of continuously monitoring the cybersecurity landscape.

Staff Guidance on Cybersecurity Issues

Let me now turn to the Commission’s efforts to educate market participants about cybersecurity issues. As many of you likely know, from time to time, the SEC furnishes guidance as to cybersecurity obligations under federal securities laws. For example, just two months ago, the Division of Investment Management issued cybersecurity guidance[71] for investment advisers and investment companies, such as mutual funds, that collectively manage over $66 trillion in assets.[72] This guidance highlights their responsibility to protect sensitive client information. The guidance also identifies a number of measures that advisers and funds should consider, including periodic testing of their IT systems, developing and testing a cybersecurity strategy, and providing employee training.

In addition, in 2011, the SEC’s Division of Corporate Finance provided guidance on the obligation of public companies to disclose their cybersecurity risks.[73] This guidance noted that public companies are required to disclose any risks or events that reasonable investors would find important when deciding whether to invest or how to vote their shares.[74] The guidance made clear that this broad disclosure obligation extends to any significant cybersecurity incidents that a company may experience, as well as any substantial cybersecurity risks that could make investments in a company speculative.[75] However, mindful of the risks associated with such disclosures, the guidance emphasized that companies do not need to disclose information that might provide cyber-attackers a roadmap to infiltrate the company.[76]

Finally, the SEC’s Office of Investor Education and Advocacy issued an Investor Bulletin earlier this year that seeks to help investors avoid being victimized by cybercriminals.[77] This advice includes practical and commonsense measures for the use of online investment accounts, such as using different passwords for each account, requiring two-step verification when possible, and exercising caution when using public networks and wireless connections.[78]

The Challenges Ahead

Although the SEC has not shied away from cybersecurity issues — whether by promulgating rules, inspecting regulated entities, or bringing enforcement cases — much work remains to be done. Cybersecurity is not a problem to be solved, but a continuous threat that demands constant attention.[79] It’s an old joke that only the paranoid survive.[80] In the cybersecurity context, it might just be true.

To that end, I would now like to discuss a few things that could help better protect us from the risk of cyberattacks.

Enhanced Cooperation Among All Stakeholders

First, cybercrime is a common threat that requires a coordinated response. It is widely acknowledged that one of the best defenses against cyberattacks is the prompt sharing of actionable information about threats and possible defenses.[81] As the National Institute of Standards and Technology recently observed, we can bolster our cyber defenses tremendously by harnessing our collective knowledge of the threat landscape, and by coordinating our responses.[82] To be sure, the sharing of cyber threat information is not a cure-all,[83] but it can certainly improve cyber defense.[84]

Unfortunately, we appear to doing a poor job of sharing cyber threat information. A 2014 study found that intelligence sharing remains largely ad hoc and informal.[85] In fact, most threat information is currently shared among peers by phone, email, or in-person meetings, or is provided by IT security vendors.[86] This word-of-mouth approach is parochial, unreliable, and inexcusably slow.[87] Threat intelligence can grow stale within minutes, if not seconds.[88] And almost half of all cyberattacks spread to their second victim within less than an hour.[89] Yet, according to one study, as often as not, firms receive threat intelligence days, weeks, or months after the initial attack, rendering much of it useless.[90] Cybersecurity is far too critical an issue to be relegated to a game of telephone.

This state of affairs results mainly from inadequacies in the current infrastructure for sharing threat information. Although certain industries have formed cyberattack intelligence sharing mechanisms, known as Information Sharing and Analysis Centers, or ISACs,[91] the president of the Financial Services ISAC recently admitted that most firms rely on their peers as their primary source of cyber threat information, rather than an ISAC.[92] Some experts have noted that one reason for this, is that ISACs often do not distribute threat information quickly enough.[93] Another problem is that the information ISACs distribute is not prioritized, and lacks sufficient context to be immediately actionable.[94]

Many experts recognize that our cybersecurity efforts will never be truly effective until we automate the process of sharing of threat intelligence.[95] Prior efforts to develop real-time, computer-to-computer information sharing platforms have faltered, but there is cause for optimism. Certain ISACs, including those for the financial services and healthcare industries, have adopted new software packages that should enable them to more quickly distribute cyber threat intelligence, and will also standardize the format in which intelligence is presented.[96] This is certainly a cause of optimism, yet other problems remain. For instance, many believe that the ISAC’s industry-focused approach inhibits the broader sharing of cyber threat intelligence that could be informative to other industries and other companies.[97]

One way to break down these industry-based silos would be to form additional organizations that could link together the existing ISACs and broaden their reach. An executive order signed by President Obama earlier this year may help to do just that.[98] This order directs the Department of Homeland Security to develop new information sharing and analysis organizations, and to develop common standards for the sharing of cyber threat intelligence.[99] These new information sharing organizations could, if properly designed, foster a much more inclusive approach to the distribution of cyber threat intelligence.

Legislation to Foster Information Sharing

Another barrier to a more robust approach to cybersecurity lies in the legal risks associated with sharing threat intelligence. Many firms claim that such liability is one of the principal hurdles they face when they seek to share information.[100] This is a legitimate concern, and there is but one solution. Obviously, legislation is needed to allow firms to share information with each other and with the government without fear of liability. Several bills have been proposed in Congress that would address this problem,[101] yet nothing has materialized to date. I do not doubt that there are difficult issues that need to be resolved, including how to ensure that our privacy and civil liberties are protected. For the good of this nation and our economy, however, Congress must bridge its differences and work quickly to forge a path forward on this issue. Without such legislation, we are all at risk.

What the SEC Can Do

Congress is not the only one that has work to do. The SEC can also find ways to better address the ever-present danger of cyberattacks. Some simple measures the SEC should consider include the following.

First, as I mentioned earlier, the Commission needs to expand the scope of Reg SCI to reach other crucial market participants. This should be a top priority.

Second, the SEC needs to ensure that public companies provide better and more timely information about the particular cyberattack risks they face, and to be more consistent in disclosing cybersecurity incidents. One 2014 study noted that the Commission’s 2011 guidance on cyber risk disclosures “has resulted in a series of disclosures that rarely provide differentiated or actionable information for investors.”[102] This view was shared by some participants at the SEC’s cybersecurity roundtable, as well.[103] Public companies need to tailor their risk disclosures to provide more useful information about the precise nature of the risks their specific business models present. In this regard, SEC staff may wish to consider updating its 2011 guidance regarding public companies’ cyber risk disclosures.[104]

Third, the SEC should provide more guidance to market intermediaries about how to respond to more limited cybersecurity incidents. For example, one participant at the cybersecurity roundtable noted that stock exchanges need more guidance as to how to respond if a broker-dealer’s account were hacked and unauthorized trading occurred,[105] while another sought guidance on how to unwind “data corruption” events limited to one market sector, but which affect other sectors.[106] The SEC should study such eventualities and develop guidance, as appropriate.

Conclusion

I will conclude my remarks by again thanking SINET for inviting me to speak today. I believe that a vibrant partnership between the public and the private sectors is the linchpin to an effective cybersecurity framework. I believe that only by working together can we make meaningful progress.

Have a great conference. Thank you.



[1] Though a man might prevail against one who is alone, two will withstand him — and a threefold cord is not quickly broken. Ecclesiastes 4:12.

[3] Ellen Nakashima, Chinese breach data of 4 million federal workers, The Washington Post (June 4, 2015), available at http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html.

[4] Ashkan Soltani and Timothy B. Lee, Research shows how MacBook Webcams can spy on their users without warning, The Washington Post (Dec. 18, 2013) (noting that hackers were able to commandeer other people’s laptop cameras without their knowledge and even take photographs of their victims while they were dressing), available at http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/; Testimony of Edmund Mierzwinski, U.S. PIRG Consumer Program Director, before the House Committee on Oversight and Government Reform Subcommittee on Information Technology (Mar. 18, 2015) (noting that the data breach of Anthem, a health insurer, “struck a mother lode of consumer data. The theft included information on up to 80 million consumers (including some non-Anthem customers in related plans) and the data points taken included the names of employers, birth dates, social security numbers, medical account numbers, phone numbers, and home and email addresses (but no medical records).”), available at http://oversight.house.gov/wp-content/uploads/2015/03/Mierzwinski_USPIRG_18March2018_Cybersecurity2.pdf. Experts believe that the Anthem data will hold strong value to thieves for years (while card numbers decline rapidly in black market value). Id.

[5] David E. Sanger and Nicole Perlroth, Bank Hackers Steal Millions via Malware, International New York Times (Feb. 14, 2015) (noting that, since late 2013, an unknown group of hackers has reportedly stolen $300 million — and possibly as much as triple that amount — from banks across the world), available at http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html.

[6] Interview with James Comey, Director of the Federal Bureau of Investigation, 60 Minutes (Oct. 5, 2014) (remarking that cybercriminals, particularly those working from China, cost the U.S. economy up to “billions” of dollars each year), available at http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/; Testimony of Richard Bejtlich, Chief Security Strategist, FireEye, Inc., before the U.S. House of Representatives Permanent Select Committee on Intelligence (Mar. 19, 2015) (noting that “[t]he Chinese and Russians tend to hack for commercial and geopolitical gain. The Iranians and North Koreans extend these activities to include disruption via denial of service and sabotage using destructive malware.”), available at http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/BejtlichSFR03192015.pdf?n=55524.

[7] Ellen Nakashima, Researchers identify sophisticated Chinese cyberespionage group, The Washington Post (Oct. 28, 2014)(discussing a “Chinese cyberespionage group” that “is going after intelligence benefiting Chinese domestic and international policies — an across-the-waterfront approach that combines commercial cyberespionage, foreign intelligence and counterintelligence with the monitoring of dissidents.”), available at http://www.washingtonpost.com/world/national-security/researchers-identify-sophisticated-chinese-cyberespionage-group/2014/10/27/de30bc9a-5e00-11e4-8b9e-2ccdac31a031_story.html.

[8] Center for Strategic and International Services, The Economic Impact of Cybercrime and Cyber Espionage, 17 (July 2013), available at http://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf.

[9] “The Internet of Things (‘IoT’) refers to the ability of everyday objects to connect to the Internet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click; home automation systems that turn on your front porch light when you leave work; and bracelets that share with your friends how far you have biked or run during the day.” Federal Trade Commission, Internet of Things: Privacy & Security in a Connected World, 12-13 (Jan. 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[10] Id. at 12-13 (noting a number of physical safety risks resulting from the wider adoption of internet-connected devices, including how one IT expert was “able to hack remotely into two different connected insulin pumps and change their settings so that they no longer delivered medicine.”); Symantec, 2015 Internet Security Threat Report, 26-27 (Apr. 2015) (observing that “[i]n the past year, there has been a growing number of probing and experimental attacks on a range of [internet connected] devices, as well as a few serious attacks.”), available at http://know.symantec.com/LP=1123. Indeed, it is reported that one of the biggest hurdles to the advent of self-driving cars is the need to ensure that such vehicles cannot be hacked. Ben Geier, Car hacking: how big is the threat to self-driving cars?, Fortune (Oct. 7, 2014) (quoting Woodrow Hartzog, law professor at Samford University’s Cumberland School of Law and an affiliate scholar at Stanford Law School’s Center for The Internet and Society, as saying “I think it goes without saying that if you don’t get security right, automated cars don’t get off the ground,” and that “[i]f we have a mistake with some kind of cybersecurity with a car, we have an immediate physical threat.”), available at http://fortune.com/2014/10/07/car-hacking-how-big-is-the-data-threat-to-self-driving-cars/.

[11] The Securities and Exchange Commission hosted a roundtable at its Washington, D.C., headquarters on March 26, 2014, to discuss cybersecurity and the issues and challenges it raises for market participants and public companies, and how they are addressing those concerns. See Transcript of the U.S. Securities and Exchange Commission Cybersecurity Roundtable (Mar. 26, 2014), available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt; Commissioner Luis A. Aguilar, The Commission’s Role in Addressing the Growing Cyber-Threat, (Mar. 26, 2014) (“After conducting research into this area, I recommended that the Commission convene a roundtable so that we can begin to develop a better understanding of this growing problem. I am pleased that Chair White agreed with my recommendation and asked the staff to make this roundtable a reality.”), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541287184.

[12] Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946.

[13] Commissioner Luis A. Aguilar, The Commission’s Role in Addressing the Growing Cyber-Threat (Mar. 26, 2014) (“One immediate step that the Commission should take is to establish a Cybersecurity Task Force. This Task Force should be composed of representatives from each division that will regularly meet and communicate with one another to discuss these issues, and, importantly, advise the Commission as appropriate.”), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541287184; Christopher J. Castelli, SEC establishes internal cybersecurity working group, Inside Cybersecurity (Oct. 23, 2014), available at http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/sec-establishes-internal-cybersecurity-working-group/menu-id-1075.html.

[14] Opening Remarks by Kenneth E. Bentsen, Jr., President and CEO, SIFMA, at the FINRA/SIFMA Cybersecurity Conference (Feb. 4, 2015) (observing that “cybersecurity must be a collaborative effort between the industry, regulators and policymakers,” and that “the most important takeaway we’ve learned through all of our simulations and work with our members and government partners is that information sharing is essential to an effective cybersecurity defense”), available at https://www.sifma.org/uploadedfiles/newsroom/speeches/2015/finra-sifma-cybersecurity.pdf; Remarks by Secretary of Homeland Security Jeh Johnson at the RSA Conference 2015 (Apr. 21, 2015) (noting that “[c]ybersecurity must be a partnership between government and the private sector. We need each other, and we must work together. There are things government can do for you, and there are things we need you to do for us.”), available at http://www.dhs.gov/news/2015/04/21/remarks-secretary-homeland-security-jeh-johnson-rsa-conference-2015.

[15] Testimony of Richard Bejtlich, Chief Security Strategist, FireEye, Inc., before the U.S. House of Representatives Permanent Select Committee on Intelligence (Mar. 19, 2015) (noting that “[o]nly a handful of organizations can attract, motivate, and retain the skilled individuals who know how to detect and respond to campaign-level intrusions.”), available at http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/BejtlichSFR03192015.pdf?n=55524.

[16] Ponemon Institute, LLC, 2014: A Year of Mega Breaches, 1 (Jan. 2015), available at http://www.ponemon.org/local/upload/file/2014%20The%20Year%20of%20the%20Mega%20Breach%20FINAL3.pdf; Symantec, 2014 Internet Security Threat Report, 7 (Apr. 2014) (dubbing 2013 “the Year of the Mega Breach”), available at http://www.itu.int/en/ITU-D/Cybersecurity/Documents/Symantec_annual_internet_threat_report_ITU2014.pdf.

[17] Ponemon Institute, LLC, 2014: A Year of Mega Breaches, 1 (Jan. 2015), available at http://www.ponemon.org/local/upload/file/2014%20The%20Year%20of%20the%20Mega%20Breach%20FINAL3.pdf. Notably, Symantec also dubbed 2013 the Year of the Mega Breach. See supra, note 13.

[18] Michael Hickins, What The Verizon Data Breach Report Means To Corporate Data Security, Forbes (Apr. 21, 2015) (noting that, “[a]ccording to Symantec, the global market for stolen credit card data is $114 billion. The market for cocaine is comparatively paltry at $85 billion, according to Interpol.”), available at http://www.forbes.com/sites/oracle/2015/04/21/what-the-verizon-data-breach-report-means-to-corporate-data-security/.

[19] A zero-day vulnerability is “a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors.” Kim Zetter, Hacker Lexicon: What Is a Zero Day?, Wired (Nov. 11, 2014), available at http://www.wired.com/2014/11/what-is-a-zero-day/.

[20] An interview with the programmer responsible for the Heartbleed vulnerability describes it as follows:

Robin Seggelmann was working on the OpenSSL software that is used as encryption by major websites as part of his PhD when he amended a section of the code known as the ‘heartbeat’.

The ‘heartbeat’ lets servers exchange brief messages with the user to check they’re still there. The user’s computer sends the server a randomly-chosen message (for example ‘coffee’) and its length (‘six characters long’). The server then returns this message to confirm that communications between the two are still working fine.

Seggelmann’s piece of code unfortunately created a loophole that let malicious users trick the server by claiming that their random message was as long as 64,000 characters. So, in the example above, the server sends back the word ‘coffee’ as well as tens of thousands of characters of potentially damaging information.

As far as hacking attacks go, exploiting Heartbleed would have been an imprecise and slow process, but if users requested enough slices of random information, sooner or later they’d find something sensitive.

James Vincent, Heartbleed: Coder responsible for 'catastrophic' bug says it can be 'explained pretty easily', The Independent (Apr. 11, 2015), available at http://www.independent.co.uk/life-style/gadgets-and-tech/news/coder-responsible-for-catastrophic-heartbleed-bug-says-it-can-be-explained-pretty-easily-9254053.html.

[21] Symantec, 2015 Internet Security Threat Report, 5 (Apr. 2015), available at http://know.symantec.com/LP=1123.

[22] Id.

[23] Verizon, 2015 Data Breach Investigations Report, 10 (Apr. 13, 2015) (noting that the sharing of threat intelligence “should lead to a form of ‘herd alertness,’ similar to the way plains animals warn each other when predators are nearby.”), available at http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/.

[24] Testimony of William Noonan, Deputy Special Agent, U.S. Secret Service Criminal Investigative Division Cyber Operations Branch, before the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies (Feb. 12, 2015), available at http://www.dhs.gov/news/2015/02/12/written-testimony-usss-house-homeland-security-subcommittee-cybersecurity.

[25] Id.

[26] PwC, US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US State of Cybercrime Survey, 4 (June 2014), available at http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf.

[27] Maria Korolov, DDOS attack size up 50-fold over past decade, CSO (Jan. 28, 2015), available at http://www.csoonline.com/article/2876763/network-security/ddos-attack-size-up-50-fold-over-past-decade.html.

[28] Symantec, 2015 Internet Security Threat Report, 7 (Apr. 2015), available at http://know.symantec.com/LP=1123.

[29] Id.

[30] Michael Hickins, What The Verizon Data Breach Report Means To Corporate Data Security, Forbes (Apr. 21, 2015) (quoting Naresh Persaud, senior director of Oracle’s security product marketing), available at http://www.forbes.com/sites/oracle/2015/04/21/what-the-verizon-data-breach-report-means-to-corporate-data-security/.

[31] Symantec, 2015 Internet Security Threat Report, 7 (Apr. 2015), available at http://know.symantec.com/LP=1123.

[32] Cisco, 2015 Annual Security Report, 6 (2015), available at http://www.cisco.com/web/offers/pdfs/cisco-asr-2015.pdf.

[33] Symantec, 2015 Internet Security Threat Report, 7 (Apr. 2015), available at http://know.symantec.com/LP=1123.

[34] Andy Greenberg, New Dark-Web Market is Selling Zero-Day Exploits to Hackers, Wired (Apr. 17, 2015), available at http://www.wired.com/2015/04/therealdeal-zero-day-exploits/; and Arjun Kharpal, Amateurs are buying DIY hacking kits off the dark web, CNBC (June 3, 2015), available at http://www.cnbc.com/id/102729318.

[35] Andy Greenberg, New Dark-Web Market is Selling Zero-Day Exploits to Hackers, Wired (Apr. 17, 2015), available at http://www.wired.com/2015/04/therealdeal-zero-day-exploits/.

[36] Arjun Kharpal, Amateurs are buying DIY hacking kits off the dark web, CNBC (June 3, 2015), available at http://www.cnbc.com/id/102729318.

[37] PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015 (Sept. 30, 2014), available at http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml.

[38] Symantec, 2015 Internet Security Threat Report, 5 (Apr. 2015), available at http://know.symantec.com/LP=1123. Intrusions may be perpetrated not only by attackers, but also by employees who accidentally expose information without authorization. See Kroll, Data Security Statistics (last visited June 12, 2015) (noting that “[w]hile ‘unauthorized access’ is often associated with a Healthcare HIPPA privacy and security violation, in 2014, Kroll data revealed that our ‘general business’ clients experienced their highest number of unauthorized access cases (27%) to date.”) http://www.kroll.com/cyber-security/data-breach-prevention/cyber-risk-assessments/data-security-statistics.

[39] Ponemon Institute, LLC, 2015 Cost of Data Breach Study: Global Analysis, 1 (May 2015), available at http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03053wwen/SEW03053WWEN.PDF.

[40] Symantec, 2015 Internet Security Threat Report, 11 (Apr. 2015), available at http://know.symantec.com/LP=1123.

[41] Id. at 5, 15.

[42] Id. at 7. Crypto-ransomware is “a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state . . . that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100—$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.” U.S. Department of Homeland Security, United States Computer Emergency Readiness Team, Alert (TA14-295A): Crypto Ransomware (Oct. 22, 2014), available at https://www.us-cert.gov/ncas/alerts/TA14-295A.

[43] Alyssa Newcomb, Ransomware: How Hackers Are Shaking Down Police Departments, ABC News (Apr. 13, 2015), available at http://abcnews.go.com/Technology/hackers-shaking-police-departments-ransom/story?id=30278202.

[44] Symantec, 2015 Internet Security Threat Report, 10 (Apr. 2015), available at http://know.symantec.com/LP=1123.

[45] Transcript of the U.S. Securities and Exchange Commission Cybersecurity Roundtable, 28 (Mar. 26, 2014) (quoting Larry Zelvin as remarking that the financial industry “probably wins the cybersecurity threat award . . . for two reasons . . . . First is because you’re where the money is. The second one is that you also represent our nation.”) , available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt. According to one 2012 study, more than half of the world’s stock exchanges were the subject of a cyberattack. Reuters, Trillion dollar risk: Cyberattackers target markets (July 17, 2013), available at http://www.cnbc.com/id/100892575. It has also been reported that cybercriminals succeeded in planting a so-called digital bomb in one exchange’s servers. See Christopher Steiner, Knight Capital's Algorithmic Fiasco Won't Be The Last of its Kind, Forbes (Aug. 2. 2012), available at http://www.forbes.com/sites/christophersteiner/2012/08/02/knight-capitals-algorithmic-fiasco-wont-be-the-last-of-its-kind/.

[46] Testimony of Frank J. Cilluffo, Director, Center for Cyber and Homeland Security, Before the U.S. House of Representatives, Committee on Financial Services, Subcommittee on Oversight and Investigations, 1 (June 16, 2015)(noting that “the following figures which were provided to me recently by a major U.S. bank on a not-for-attribution basis: just last week, they faced 30,000 cyber- attacks. This amounts to an attack every 34 seconds, each and every day. And these are just the attacks that the bank actually knows about, by virtue of a known malicious signature or IP address. As for the source of the known attacks, approximately 22,000 came from criminal organizations; and 400 from nation-states.”), available at https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/A%20Global%20Perspective%20on%20Cyber%20Threats%20-%2015%20June%202015.pdf.

[47] Regulation Systems Compliance and Integrity, Securities Exchange Act Release No. 73639 (Nov. 19, 2014), available at http://www.sec.gov/rules/final/2014/34-73639.pdf.

[48] 17 CFR §§ 242.1000-02 (West 2015).

[49] Id.

[50] Regulation Systems Compliance and Integrity, Securities Exchange Act Release No. 73639, 30-31, 148-49 (Nov. 19, 2014), available at http://www.sec.gov/rules/final/2014/34-73639.pdf.

[51] Eric Engleman and Chris Strohm, Cybersecurity Disaster Seen in U.S. Survey Citing Spending Gaps, Bloomberg Business (Jan. 31, 2012) (citing a Ponemon Institute survey of IT managers from 172 organizations, in which respondents opined that industry would have to boost spending by 900% — from $5.3 billion to $46.6 billion — to repel 95% of cyberattacks), available at http://www.bloomberg.com/news/articles/2012-01-31/cybersecurity-disaster-seen-in-u-s-survey-citing-spending-gaps.

[52] Regulation Systems Compliance and Integrity, Securities Exchange Act Release No. 73639, 148-49 (Nov. 19, 2014), available at http://www.sec.gov/rules/final/2014/34-73639.pdf.

[53] Ryan Elmer, Check-the-Box Mentality Exposes Banks to Big Cyber Risks, American Banker (Jan. 13, 2015) (noting that many institutions have “exposed themselves to check-the-box compliance risk,” in which they “create governance that meets regulations without understanding the real intent of the guidance or effectively addressing the issues that the regulations are intended to tackle,” leading them to be technically “compliant yet still vulnerable to massive liabilities.”), available at http://www.americanbanker.com/bankthink/check-the-box-mentality-exposes-banks-to-big-cyber-risks-1072117-1.html. The pitfalls of such an approach were highlighted by Target, which was certified to be compliant with the payment card industry’s security standards just before it suffered its massive breach. Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, Bloomberg Business (Mar. 13, 2014) (noting that “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013,” just two months before the attack occurred), available at http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data.

[54] Ponemon Institute, LLC, 2015 Cost of Data Breach Study: Global Analysis, 3 (May 2015), available at http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03053wwen/SEW03053WWEN.PDF.

[55] U.S. Securities and Exchange Commission, Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary, National Exam Program Risk Alert, Vol. IV, Issue 4 (Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.

[56] Id. at 2-3.

[57] Id. at 2.

[58] Id.

[59] Id.

[60] Ann M. Ladd, Top Trends in Data Protection and Cyber Security in 2015: Third Party Vendors Will Cause Data Security Incidents, Fredrickson & Byron, P.A. (Feb. 25, 2015) (noting that “[t]hird party vendors have been blamed for data breaches at Lowes, Goodwill, AT&T, Legal Sea Foods and Auto Nation.”), available at http://www.fredlaw.com/news__media/2015/02/24/778/top_trends_in_data_protection_and_cyber_security_in_2015_third_party_vendors_will_cause_data_security_incidents.

[61] U.S. Securities and Exchange Commission, Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary, National Exam Program Risk Alert, Vol. IV, Issue 4, at 4-5 (Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.

[62] Ponemon Institute, LLC, 2015 Cost of Data Breach Study: Global Analysis, 3, 13 (May 2015), available at http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03053wwen/SEW03053WWEN.PDF. Last year, the Commission also examined the cybersecurity policies of the credit rating agencies registered with the SEC, which are instrumental in assessing the likelihood that companies and governments will repay their debt. Rebecca Marston, What is a rating agency?, BBC (Oct. 20, 2014), available at http://www.bbc.com/news/10108284. These exams found various problems. For example, the examinations found that all three of the largest rating agencies had failed to develop sufficient cybersecurity policies. Shortcomings were also noted at two of the smaller agencies. Even more troubling, however, is that one of these smaller agencies did not have any written cybersecurity policies at all. U.S. Securities and Exchange Commission, 2014 Summary Report of Commission Staff’s Examinations of Each Nationally Recognized Statistical Rating Organization, 18 (Dec. 2014), available at https://www.sec.gov/ocr/reportspubs/special-studies/nrsro-summary-report-2014.pdf. Clearly, there is much work to be done to bring these entities up to speed on cybersecurity issues.

[63] The SEC has authority to investigate potential violations of federal securities laws, and to file civil lawsuits when violations occur. See 15 U.S.C. § 77t (Securities Act of 1933), § 78u (Securities Exchange Act of 1934), § 80a-41 (Investment Company Act), § 80b-9 (Investment Advisers Act).

[64] See Chair Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2014)(noting that “we at the SEC have been focused on cybersecurity-related issues for some time.”), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468; Commissioner Luis A. Aguilar, The Commission’s Role in Addressing the Growing Cyber-Threat (Mar. 26, 2014) (“After conducting research into this area, I recommended that the Commission convene a roundtable so that we can begin to develop a better understanding of this growing problem. I am pleased that Chair White agreed with my recommendation and asked the staff to make this roundtable a reality.”), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541287184; Sara N. Lynch, SEC on the prowl for cyber security cases: official, Reuters (Feb. 20, 2015) (quoting David Glockner, Director of the SEC’s Chicago Regional Office, as saying “[c]yber security . . . is an area where we have not brought a significant number of cases yet, but is high on our radar screen.”), available at http://www.reuters.com/article/2015/02/20/us-sec-cyber-idUSKBN0LO28H20150220.

[65] Daniel F. Schubert, Jonathan G. Cedarbaum, and Leah Schloss, The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions, The Cybersecurity Law Report, 1 (Apr. 8, 2015) (noting that the SEC “currently has multiple active enforcement investigations involving data breach events,” and that the SEC’s “New York Regional Office has been particularly active in this space, although other offices are also getting involved and have active enforcement investigations.”), available at https://www.wilmerhale.com/uploadedFiles/Shared_Content/Editorial/Publications/Documents/the-secs-two-primary-theories-in-cybersecurity-enforcement-actions.pdf.

[66] Id. at 3 (noting that, at the February 2015 SIFMA/FISMA Cybersecurity Conference, Vincente Martinez, Chief of the Office of Market Intelligence in the SEC’s Division of Enforcement, stated that the “SEC is actively examining both how its existing authorities can be used to bring more enforcement actions when firms fail to [protect] . . . customer information and how those authorities might be broadened and strengthened.”), available at https://www.wilmerhale.com/uploadedFiles/Shared_Content/Editorial/Publications/Documents/the-secs-two-primary-theories-in-cybersecurity-enforcement-actions.pdf.

[67] See In the Matter of Marc A. Ellis, Securities Exchange Act Release No. 64220, 2 (Apr. 7, 2011) (noting that “after the theft of three laptop computers and a registered representative’s computer password credentials put customer information collected by [the broker-dealer] at risk of unauthorized access and use, [the firm’s Chief Compliance Officer] Ellis did not direct the firm to revise or supplement its policies and procedures for safeguarding customer information. As a result, Ellis aided and abetted and caused [the broker-dealer’s] violations of the Safeguard Rule.”), available at http://www.sec.gov/litigation/admin/2011/34-64220.pdf. See also In the Matter of David C. Levine, Securities Exchange Act Release No. 64222, 2 (Apr. 7, 2011) (noting that “prior to resigning from [the broker-dealer], Levine downloaded nonpublic customer information for the 16,000 accounts on a portable thumb drive. Levine resigned from [the broker-dealer] on April 23, 2010, and then affiliated with a new broker-dealer . . . Thereafter, Levine supplied the broker-dealer receiving the accounts with nonpublic personal information for the 16,000 accounts, including the product custodian, the account holder’s name and address, and the account number and value for each account.”), available at http://www.sec.gov/litigation/admin/2011/34-64222.pdf.

[68] Hannah Kuchler, M&A cyber hackers target deal information, Financial Times (Dec. 1, 2014) (noting that FireEye, the firm that discovered the cybercriminals’ scheme, “handed the evidence on the hacking group to the SEC and other regulators and agencies, which may be interested in investigating further.”), available at http://www.ft.com/intl/cms/s/0/b4d6eab4-78e4-11e4-b518-00144feabdc0.html#axzz3cDDQltsB.

[69] Barry Vengerik, Kristen Dennesen, Jordan Berry, and Jonathan Wrolstad, Hacking the Street? Fin4 Likely Playing The Market, FireEye Special Report, 5 (2014), available at https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-fin4.pdf. FIN 4 targets individuals, like corporate executives, researchers, and attorneys, who are likely to possess sensitive business information. Id.

[70] Id. at 5.

[71] U.S. Securities and Exchange Commission, Division of Investment Management, Guidance Update on Cybersecurity, No. 2015-02 (Apr. 2015), available at http://www.sec.gov/investment/im-guidance-2015-02.pdf.

[72] This figure is based upon information provided by the staff of the Division of Investment Management, which derived the figure from the Forms ADV that SEC-registered investment advisers file with the Commission. According to the staff, it is not clear to what extent the $66 trillion figure includes the assets that are managed by registered investment companies. According to figures published by the Investment Company Institute, registered investment companies have roughly $18.7 trillion in assets under management, as of the second quarter of 2015. See https://www.ici.org/research/stats.

[73] U.S. Securities and Exchange Commission, Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2 — Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[74] Id.

[75] Id.

[76] Id.

[77] U.S. Securities and Exchange Commission, Office of Investor Education and Advocacy, Investor Bulletin: Protecting Your Online Brokerage Accounts from Fraud (Feb. 3, 2015), available at http://www.sec.gov/oiea/investor-alerts-bulletins/ib_protectaccount.html.

[78] Id.

[79] David X. Martin, Building a More Effective Cybersecurity Defense, Institutional Investor (Sept. 18, 2014) (noting that “[c]ybersecurity is not a problem to be solved — it is an ongoing risk to be managed.”), available at http://www.institutionalinvestor.com/blogarticle/3381726/blog/building-a-more-effective-cybersecurity-defense.html#.VXJoCDbD_5o.

[80] “Success breeds complacency. Complacency breeds failure. Only the paranoid survive.” Andrew S. Grove, Only the Paranoid Survive (1996) (retrieved June 5, 2015, from BrainyQuote.com Web site: http://www.brainyquote.com/quotes/quotes/a/andygrove471638.html).

[81] See Remarks of Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, U.S. Department of the Treasury at the U.S. Securities and Exchange Commission Cybersecurity Roundtable, Transcript p.123 (Mar. 26, 2014) (noting that “one of the most important things that we need to do to combat [cybersecurity] threats is share information . . . .”), available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt; N. Eric Weiss, Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis, Congressional Research Service (June 23, 2015)(noting that “[p]olicy analysts have suggested that sharing information about [cybersecurity] breaches could be an effective and inexpensive part of improving cybersecurity.”), available at http://fas.org/sgp/crs/misc/R43821.pdf; Ponemon Institute, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, 1 (Apr. 2014) (noting that participants in a survey of “701 IT and IT security practitioners” agree that “the ability to share threat intelligence is important to improving their organizations’ security posture as well as the nation’s infrastructure.”), available at http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf; (Eric A. Fischer and Stephanie M. Logan, Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 as Passed by the House, Congressional Research Service (June 4, 2015)(observing that “[b]arriers to sharing have long been considered by many to be a significant hindrance to effective protection of information systems, especially those associated with critical infrastructure.”), available at http://fas.org/sgp/crs/misc/R43996.pdf; and Verizon, 2015 Data Breach Investigations Report, 10 (Apr. 13, 2015) (noting that the sharing of threat intelligence “should lead to a form of ‘herd alertness,’ similar to the way plains animals warn each other when predators are nearby.”), available at http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/.

[82] Chris Johnson, Lee Badger, and David Waltermire, Guide to Cyber Threat Information Sharing (Draft), NIST Special Publication 800-150 (Draft), 1-2 (Oct. 2014) (noting that “[t]o enhance incident response actions and bolster cyber defenses, organizations must harness the collective wisdom of peer organizations through information sharing and coordinated incident response.”), available at http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf.

[83] Some experts believe that cyber threat information sharing is not an effective method of preventing cyberattacks. For example, some information security experts point out that existing information sharing measures run by private companies, like IBM and Dell SecureWorks, do little to prevent attacks. See Andrea Castillo, Cybersecurity bill more likely to promote information overload than prevent cyberattacks, The Hill (May 7, 2015), available at http://thehill.com/blogs/congress-blog/homeland-security/241242-cybersecurity-bill-more-likely-to-promote-information. Similarly, one study found that the increased sharing of cyber threat information among federal agencies did not prevent the number of security incidents at these agencies from rising by more than 1,000% between 2006 and 2013. Eli Dourado and Andrea Castillo, Federal Cybersecurity Breaches Mount Despite Increased Spending (Jan. 20, 2015), available at http://mercatus.org/publication/federal-cybersecurity-breaches-mount-despite-increased-spending. In addition, a recent study by the Congressional Research Service observed that, while improved cybersecurity information sharing is a broadly supported goal, it could require difficult trade-offs, and its benefits may prove uneven across different industries and business types. Eric A. Fischer and Stephanie M. Logan, Cybersecurity and Information Sharing: Comparison of Legislative Proposals in the 114th Congress, Congressional Research Service (June 12, 2015), available at http://www.fas.org/sgp/crs/misc/R44069.pdf. What these criticisms ultimately point to, however, is the truism that the sharing of cyber threat intelligence can be helpful only if the recipients are willing and able to make use of the intelligence. See, e.g., Testimony of Richard Bejtlich, Chief Security Strategist, FireEye, Inc., before the Senate Committee on Homeland Security and Governmental Affairs (Feb. 3, 2015) (noting that “[t]hreat intelligence can help defenders more quickly resist, identify, and respond to intrusions, but only if the organization is postured to succeed. Until one invests in sound strategy, processes, people and technology, no amount of information sharing or threat intelligence will be sufficient.”), available at http://www.brookings.edu/research/testimony/2015/02/02-protecting-america-from-cyber-attacks-information-sharing-bejtlich. In this vein, I note that the recent cyber-attack against the federal government’s Office of Personnel Management (“OPM”), which exposed the personal information of roughly four million government workers, exploited a vulnerability that OPM had been alerted to, but failed to correct. John Sexton, OPM Was Urged Last Year to Shut Down Systems Without a Valid Security Authorization but Refused, Breitbart (June 16, 2015), available at http://www.breitbart.com/big-government/2015/06/16/opm-was-urged-last-year-to-shut-down-systems-without-a-valid-security-authorization-but-refused/.

[84] Denise E. Zheng and James A. Lewis, Cyber Threat Information Sharing: Recommendations for Congress and the Administration, Center for Strategic & International Studies (Mar. 2015) (noting that “[c]yber threat information sharing is not a cure-all solution, but it is a critical step toward improving cyber defenses.”), available at http://csis.org/files/publication/150310_cyberthreatinfosharing.pdf.

[85] Ponemon Institute, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, 1 (Apr. 2014) (noting that “Most often intelligence is shared through informal peer-to-peer exchanges or through a vendor threat exchange service.”), available at http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf.

[86] Id. at 5; Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015) (quoting Richard Bejtlich, chief security strategist for FireEye, as saying that most information sharing is “done in meetings or private mailing lists, and that sort of thing. Efforts made to date to facilitate computer-to-computer machine-readable [intel] have not worked very well." Bejtlich is also quoted as saying that there has been no major shift in moving beyond "people congregating in conference rooms and sharing on mailing lists."), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes.

[87] Id.

[88] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015) (noting that it is widely believed that threat intelligence “expires within seconds or minutes . . . .”), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes.

[89] Verizon, 2015 Data Breach Investigations Report, 10-11 (Apr. 13, 2015)(noting that the sharing of threat intelligence “should lead to a form of ‘herd alertness,’ similar to the way plains animals warn each other when predators are nearby.”), available at http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/.

[90] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015) (noting that, half the time, cyber threat intelligence is received days, weeks, or months after the incident in question, “rendering much of it useless.”), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes; Ponemon Institute, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, 18 (Apr. 2014) (noting that only 5% of respondents receive threat information in real time), available at http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf.

[91] National Council of ISACs Website, About Us (noting that “ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors, and with government. ISACs take an all-hazards approach and have strong reach into their respective sectors, with many reaching over 90 percent penetration. Services provided by ISACs include risk mitigation, incident response, alert and information sharing. The goal is to provide users with accurate, actionable, and relevant information. Member benefits vary across the ISACs and can include: access to a 24/7 security operations center, briefings, white papers, threat calls, webinars, and anonymous CIKR Owner/Operator reporting.”), http://www.isaccouncil.org/publications.html (last visited June 10, 2015). Financial firms, for example, participate in the Financial Services ISAC, which is widely viewed as the gold standard of ISACs. Rachel King, American Express CIO Testifies Before Senate on Cybersecurity and Info Sharing, The Wall Street Journal (Jan. 28, 2015)(noting that the FS-ISAC “is often considered the gold standard of industry-based cybersecurity information sharing.”), available at http://blogs.wsj.com/cio/2015/01/28/american-express-cio-testifies-before-senate-on-cybersecurity-and-info-sharing/.

[92] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015) (quoting William Nelson, president and CEO of the FS-ISAC, as saying "[a] lot of dialog [sic] in information-sharing is going back and forth, did anybody see this, and they raise their hand.”), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes.

[93] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015)(quoting Mike Davis, CTO at CounterTack, who has worked with the FS-ISAC as well as other ISACs, as saying that ISACs are "usually late with their information. Most of the time, it's after something hits the news . . . ."), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes.

[94] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes.

[95] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015) (quoting Mike Davis, CTO at CounterTack, who has worked with the FS-ISAC as well as other ISACs, as saying that ISACs are "usually late with their information. Most of the time, it's after something hits the news . . . ."), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes; Ponemon Institute, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, 18 (Apr. 2014)(noting that only 5% of respondents receive threat information in real time), available at http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf.

[96] Kelly Jackson Higgins, Efforts To Team Up And Fight Off Hackers Intensify, InformationWeek (Mar. 5, 2015) (quoting Mike Davis, CTO at CounterTack, who has worked with the FS-ISAC as well as other ISACs, as saying that ISACs are "usually late with their information. Most of the time, it's after something hits the news . . . ."), available at http://www.darkreading.com/analytics/efforts-to-team-up-and-fight-off-hackers-intensify/d/d-id/1319368?print=yes.

[97] Ponemon Institute, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, 10 (Apr. 2014) (noting that “sixty-two percent [of respondents] say improved collaboration and elimination of silos such as by industry, geography or community would improve sharing [of threat intelligence.”), available at http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf. The failure to share cyber threat intelligence across different industries may be particularly shortsighted, since one recent study showed that “[m]any subsectors in different industries actually share a closer threat profile than do subsectors in the same overall industry.” Verizon, 2015 Data Breach Investigations Report, 25 (Apr. 13, 2015), available at http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/. For example, this study found that two “manufacturing subsectors have more in common with central banks than they do with each other” when it comes to their cybersecurity profiles. Id. The study concludes from this evidence that “our standard practice of organizing information-sharing groups and activities according to broad industries is less than optimal. It might even be counterproductive.” Id. at 26.

[98] Promoting Private Sector Cybersecurity Information Sharing, Exec. Order No. 13691 (Feb. 20, 2015), 80 Fed. Reg. 9349, available at http://www.gpo.gov/fdsys/pkg/FR-2015-02-20/pdf/2015-03714.pdf.

[99] Steven Norton, Information Sharing Orgs weigh in on Obama’s Executive Order, The Wall Street Journal (Feb. 17, 2015), available at http://blogs.wsj.com/cio/2015/02/17/information-sharing-orgs-weigh-in-on-obamas-executive-order/.

[100] Ponemon Institute, Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, 10 (Apr. 2014), available at http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf; Eric A. Fischer and Stephanie M. Logan, Cybersecurity and Information Sharing: Comparison of Legislative Proposals in the 114th Congress, Congressional Research Service (June 12, 2015) (noting that “[p]rivate-sector entities often claim that they are reluctant to share such information among themselves because of concerns about legal liability, antitrust violations, and potential misuse, especially of intellectual property, including trade secrets and other proprietary business information.”), available at http://www.fas.org/sgp/crs/misc/R44069.pdf.

[101] See Ed Pagano, David S. Turetsky, Barney J. Skladany Jr., and Matthew Thomas, House passes cybersecurity information sharing bills, Akin Gump Deal Diary (Apr. 23, 2015) (noting that the House of Representatives passed two bills that would “facilitate the sharing of classified and declassified cyber threat indicators in the possession of the federal government with private entities,” and “provide liability protections for private companies sharing cyber threat information within the private sector,” respectively. The article further notes that the Senate has proposed its own legislation, the Cybersecurity Information Sharing Act.), available at http://www.lexology.com/library/detail.aspx?g=a9184643-da65-4d30-92c4-752bdccf3a28.

[102] PwC, Investor Responsibility Research Center Institute, What investors need to know about cybersecurity: How to evaluate investment risks, 5 (June 2014), available at http://irrcinstitute.org/pdf/cybersecurity-july-2014.pdf; see also Comment Letter of Jacob S. Olcott Regarding the SEC’s Cybersecurity Roundtable (July 7, 2014) (asserting that “cyber risk and incident disclosure is performed inconsistently by businesses today. The result is that investors are taking on significant, uncompensated risk, and are often left unaware of critical cyber-related risks or incidents that have or may result in large financial loss.”), available at http://www.sec.gov/comments/4-673/4673-11.pdf. Importantly, Commission staff has been working diligently to ensure that public companies’ cybersecurity disclosures are meaningful, informative, and consistent with federal securities laws. In the first year and a half after the issuance of the 2011 guidance, staff in the Division of Corporate Finance sent comment letters to approximately 50 public companies requesting information about cyber incidents and information security. See Letter from Mary Jo White, Chair, Securities and Exchange Commission to Senator John D. Rockefeller IV, Chairman, Senate Committee on Commerce, Science, and Transportation (May 1, 2013), available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=7b54b6d0-e9a1-44e9-8545-ea3f90a40edf. These comment letters effectively required companies to commit to disclosing the fact of past incidents, though disclosure of particular details and circumstances was not necessarily required.

[103] See Transcript of the U.S. Securities and Exchange Commission Cybersecurity Roundtable (Mar. 26, 2014) (several participants noted that the disclosures companies currently make about their cyberattack risks are often too generic to provide much insight), available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt.

[104] I note that two Congressmen recently wrote a letter to Chair White urging her “to update the SEC's cybersecurity disclosure guidance for publicly traded companies.” Letter from Congressmen Jim Langevin and Jim Himes, Members, Committee on Homeland Security, Cybersecurity, Infrastructure Protection, and Security Technologies, to Mary Jo White, Chair, Securities and Exchange Commission (June17, 2015), available at http://langevin.house.gov/sites/langevin.house.gov/files/documents/06-17-15_Langevin_Himes_Letter_to_SEC.pdf. The need for further guidance on cybersecurity disclosures is further highlighted by a 2013 study, which found that 12% of the Fortune 500, and fully 22% of the Fortune 501 to 1000, companies failed to mention cyber risks at all in their public disclosures. Willis Fortune 1000 Cyber Disclosure Report, 2 (Aug. 2013), available at http://blog.willis.com/wp-content/uploads/2013/08/Willis-Fortune-1000-Cyber-Report_09-13.pdf. Equally distressing is that only 13% of the Fortune 500, and 12% of the Fortune 501 to 1000 companies mention vendor risk in their cyber risk disclosures. Id. at 11. The staff may want to consider whether further guidance is needed to ensure that public companies provide adequate disclosure about their cyber risks.

[105] See Remarks of Mark Graff, Chief Information Security Officer, NASDAQ OMX, at the U.S. Securities and Exchange Commission Cybersecurity Roundtable, Transcript pp. 150-51 (Mar. 26, 2014) (“According to our understanding, the guidance we got from SEC on this a couple of years ago was that in the case where a brokerage house might have been compromised and an improper trade had, in fact, been -- an order had, in fact been issued from a compromised system, you know, our question was, ‘What do we do about that?’ And we -- as we understand it, the guidance currently is that since it's not an ‘erroneous’ trade as such but, in fact, it was a trade that had legitimate earmarks but was not the true volition of the brokerage house -- our understanding is that we're not empowered to break that trade. And so we'd love to have some clarification from that from SEC not in the case of the large catastrophe, which we think we comprehend pretty well. But in the smaller issues, what would be the current thinking?”), available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt.

[106] See Remarks of Mark Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation, at the U.S. Securities and Exchange Commission Cybersecurity Roundtable, Transcript pp. 152-53 (Mar. 26, 2014) (noting that “the rules for declaring self-help are pretty well understood. What's a little murkier and something we need to explore in this threat domain that Katheryn led to is what happens if every exchange declares self-help at the same time, right, because of some pan cyber-attack across multiple infrastructures. And I think those types of policy issues are ones that the recovery aspects are -- they need more focus. We need to think about that as market infrastructures. If there is a data corruption event in one part of the ecosystem, how does that get unwound? You know, all the markets we have are interlinked with each other, so if you have a problem with one space and you have to go back to an IT snapshot from many hours before, what can everybody else do? Do you have parity in the markets where 50 percent of the firms can go to a snapshot that's 6 hours hold and 50 percent can't? Do you still have a functioning market then?”), available at http://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt.

Print Facebook Twitter Email Share
Facebook Twitter Email
Modified: June 25, 2015