The U.S. Securities and Exchange Commission (SEC) has spoken. It says companies that fail to do proper cyber security for its data could be breaking federal law. The idea of law breaking came about in a report that investigated nine unidentified companies who’ve suffered cyber attacks. It wonders if they had the proper internal accounting protection controls in place.
Those systems are required by law.
The investigation focused on business email compromises. This is a way cyber criminals get access to bank accounts and other information. They pose as company executives and other employees to get information sent to them. Scams like this — says the FBI — have netted these businesses $5 billion in losses since 2013.
Stephanie Avakian is the co-director of the SEC Enforcement Division. She said these scams aren’t that sophisticated. They rely upon human inattention to succeed.
“We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” she said.
The warning from the investigation is clear. Regulators, Congress and consumer groups are watching, and are growing more and more focused on requiring companies to do all they can to keep data secure.
By the way, those regulating regulators ought to also pay attention. On October 4th the Pentagon said the system it uses to maintain travel records was hacked. The Department of Defense said 30,000 records were accessed.
As an FYI, the department says it does not administrate those records. That has been outsourced to a third party contractor. It also says the 30,000 records isn’t all that many when you consider the Department of Defense is the nation’s largest employer.
It has 1.3 million enlisted men and 742,000 civilians work for the department.
Source links: Reuters, Insurance Journal, Forbes