This is the first installment of a three part series..
Over the next three installments, let’s work through the reality of the following questions in light of the recent Capital One Data Breach. The Cybersecurity ‘profession’ continues to evolve, criminals continue to evolve, regulatory oversight continues to evolve, but are we truly learning and gaining ground on the right things?
So what are we learning?
- How could Capital One’s Board of Directors have known of this potential risk?
- Would Capital One shareholders have known this risk exist?
- Was there an opportunity for the Capital One executive team to understand and support mitigating the risk?
- How would US Federal Regulators have identified this weakness as an audit finding?
- Would US Federal or State Privacy regulations have changed the operational processes?
- What Capital One Cybersecurity metrics would have shown this area as a threat?
Before reading further, please realize and review my history, as this is in no way a criticism of Capital One, their Cybersecurity team, nor the cloud provider involved. There is something for all of us to learn from this latest situation.
I believe what has been presented in the media, to date, regarding the Capital One data breach, highlights areas we are all struggling with in our quest to protect businesses. How can we all learn together, reducing risk across businesses?
While attending the Masters in Information Assurance program at Norwich University in 2003, I had the amazing opportunity to study with Peter Neumann. Peter has been researching computer risk since the 1970’s, and simply put, he suggests that companies are, and will continue, to make the same mistakes over and over. I highly recommend spending some time digging into his research, found here. Unfortunately, his research does appear to hold true even today.
Following the Equifax breach in July 2017, the US Securities and Exchange Committee (SEC) released guidance regarding Cybersecurity disclosures to include incident reporting to the board of directors of public companies. Further focus has been given to actual Cybersecurity expertise within a board through the Cybersecurity Disclosure Act, proposed bill H.R.6638 — 115th Congress (2017-2018). The proposed bill specifically states that a company is to:
- disclose in its mandatory annual report or annual proxy statement whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience; and
- if no member has such expertise or experience, describe what other company cybersecurity steps were taken into account by the persons responsible for identifying and evaluating nominees for the governing body.
Remaining on the topic of board oversight, the National Association of Corporate Directors (NACD) suggests board members are “trusted stewards of long term value creation.” I could not agree more that, today more than ever, boards should maintain at least one member who is actually experienced in Cybersecurity practices, and to ask key questions of executives around Cybersecurity business risks.
Given the recent Capital One data breach, how would the board have known of the potential risk? What about Equifax and their data breach? How would their board have known and understood a potential risk existed? Would shareholders have known based on current annual reports? Is the new guidance standards and proposed bill on the right track?
Review the recent SEC guidance, and the proposed bill, and let’s open the discussion regarding Board oversight and Shareholder awareness relative to the recent Capital One data breach.
Copyright 2004-2019 Securing Reality, LLC
John W Graham.
All Rights Reserved
Post Editor: Renee Palmer.