I have long said that if you look at all the disclosures of cyber attacks and breaches, you may not have an accurate view of the current state of this national security threat. Well, last year CNBC posted a piece titled “Cyberattacks: Why Companies Keep Quiet” that expressed the same concern.
I was involved in a discussion recently about the disclosure requirements that apply when publically traded companies experience a cyber breach. The rule of thumb for the breach or cyber attack to require disclosure - it would have to be “material” (an accounting term). The Journal of Accounting states that “materiality” is based on an assumption that a fluctuation in net income of 5 percent or less is unlikely to influence a reasonable investor.
Take a look at the revenue of those in the defense industry and just how significant the costs of the attack would have to be before it needs to be disclosed. That would explain the limited number of disclosures we see. Do you think this might be what is behind the Securities and Exchange Commission’s (SEC) decision to “Focus on Corporate Cybersecurity Risks in 2014?”
If you examine how much of our military equipment falls into the COTS (commercial off the shelf) category as well as how much of our critical infrastructure is operated by the private sector in addition to all the commercial equipment they use, you can see the danger of companies and the supply-chain being compromised by counterfeit equipment or products with built in malicious code. This is a critical issue!
Supply-chain security has increasingly become an area of deep concern for the DoD, the government and the private sector. The Brookings Institution published a report that focuses on compromised electronic components. In their executive summary they state “supply chain is almost completely unprotected.” Given all of that perhaps COTS should now stand for “Can't Obtain Till Secured” or at least put a clause in all purchasing contracts requiring all cyber breaches be disclosed.