Legislation to Force Companies to Reveal Cyber Attack

By   ISBuzz Team
Writer , Information Security Buzz | Jan 19, 2016 07:00 pm PST

MP Dr Liam Fox call for companies to come clean after cyber attack. Chris Wysopal, CTO and CISO at Veracode have the following comments on it.

Chris Wysopal, CTO and CISO at Veracode :

“There is no question that responsible disclosure is a good policy, however globally there remains limited precedent for it. In the US, companies listed on the NASDAQ Stock Market or the New York Stock Exchange are required to notify the public if the leaked information would “reasonably be expected to affect the value of a company’s securities or influence investors’ decisions.” While in Europe, the General Data Protection Regulations, set to come into force in 2018, will require companies to tell the DPA and the data subjects if a breach occurs.

But while a good precedent, the cyber liability trend is being tied to the damage of the breach itself and where the organisation’s previous cybersecurity measures were not found to be reasonable. For instance, the case of Wyndham Hotels in the US affirmed the Federal Trade Commission’s authority to hold companies to account for failing to securely store customer data, and the UK government launched an inquiry after the most recent Talk Talk breach.

It’s extremely positive to see that British MPs are engaging with the problem of cybersecurity and considering what legislative steps they can take that will enable them to positively influence corporate cybersecurity culture. We know that personal liability and regulation can have a massive impact on changing norms and encouraging safer behaviour: just this month marks 50 years since the first seatbelt legislation in the UK which has subsequently saved thousands of lives. It is essential that companies take cybersecurity seriously and if such measures would force them to address these threats more comprehensively, it can only be a positive thing.

If we don’t talk about breaches no one gets blamed. No one did anything wrong. No one is liable. No outside criticism, positive or negative. But if we do this no one learns. Well except for the attackers. They learn. In engineering we learn from every failure. Structural engineers study bridge failures or building failures so they can learn to not make the same mistakes. Pilots and aeronautical engineers learn from every plane crash how to improve procedures, the manufacturing process and the design of planes. Keeping the engineering and process that led to security failures is like science and engineering in the old Soviet Union. It didn’t turn out so well for them compared to the open science and engineering of most of the world. Secrecy hurts the builders and defenders of secure systems and helps only the attackers.”

[su_box title=”About Veracode” style=”noise” box_color=”#336588″]veracodeVeracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises.  By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x