When Should A CIO Tell The World That They Have Been Hacked?

How important is it that others know that the bad guys got in?
How important is it that others know that the bad guys got in?
Image Credit: Carl Jones

As CIOs we spend a great deal of our time attempting to secure the company’s networks from the bad guys because we understand the importance of information technology. This activity takes on a whole host of different forms: firewalls, end user training, security sweeps, etc. However, sometimes despite our best efforts the bad guys make it over the wall and are able to break into our systems. We may discover this in a number of different ways: log files of network activity, files that have been tampered with, missing or deleted data, etc. A critical question that every person with the CIO job needs to find an answer to is when this happens, who do we have to tell?

What Do The Rules Say?

One of the biggest issues that people in the CIO position need to deal with in terms of handling a break in is that this may have legal implications for the company. The Securities and Exchange Commission (SEC) has said that any event that is “material” (significant enough to influence and investor’s decision to buy the company’s stock) has to be reported to the SEC.

However, fewer and fewer CIOs are electing to do this. There are roughly 9,000 publicly listed companies and since 2010 only 10 of them have told the SEC that they have experienced a cyber break in. This is a problem because is a well-known fact that the number of known break ins across all types of businesses (both public and private) in the U.S. since 2010 totals 2,642.

It’s not like CIOs are not trying to prevent these events from happening. Companies are reported to have spent US$86B last year securing their networks. This was up 18% from the year before. This year companies are expected to spend $94B on such efforts. The issue has become so serious that a number of states have implanted laws that require firms to report cyber break ins that compromise more than a given set of consumer data such as phone numbers or credit card info.

What Is Being Set Up For Reporting?

Since a break in could have an effect on the company’s stock price, these break ins are starting to get the attention of company boards. The boards are trying to determine the customer and financial impact of a breech in order to determine if they are required to report it to the SEC. The issue of cyber security is so important that it has become a reoccurring issue that boards will be revisiting throughout the year.

The problem with the SEC reporting system is that there is no clear way to determine if a break in meets the reporting criteria. Firms are very aware that as of yet the SEC has not started a court case against a firm for not reporting a break in; however, the SEC has been very clear that they could do this at any time. From an investor point-of-view, they want more information about a company’s battles with cyber criminals. They are most interested in events that will impact a company’s profits.

The American Institute of CPAs has gone ahead and created new guidelines that CIOs can use in reporting how they are securing their networks against the bad guys. The challenge here for CIOs is that they really don’t want to offer either too little or too much information to the company’s investors. If a CIO does not come clean about a data breech happening, then investors may believe that something is being hidden from them. Alternatively, there are a lot of minor security events that occur each day that if you notified investors about would just create a lot of unnecessary noise. CIOs are going to have to learn how to strike a balance.

What All Of This Means For You

In the world of CIOs there is probably no more important job than finding ways to secure the company’s networks. We spend both a great deal of time and money to keep our networks safe. The bad guys may still find a way in and if they do, we need to make a decision about whether or not we tell the world about what just happened.

The Securities and Exchange Commission requires companies to report any “material” events that may influence an investor who might be thinking about buying the company’s stock. CIOs need to determine if a cyber break in fits this definition. Since 2010, even as break ins have increased, very few CIOs have done this despite spending great deals of money on trying to protect their networks. Company boards are starting to get involved because of the potential impact of these events. Investors are starting to ask for more network security information because they want to know if breeches will impact profits. CIOs are going to have to determine if an event is worth reporting to the public.

The one thing that we know about the future is that CIOs will continue to keep trying to secure their networks and the bad guys will keep trying to break in. There will always be the case where the bad guys do find a way to get inside of your network and when this happens you have decisions that have to be made. Make sure that you understand the impact of the break in and then do the right thing!

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: If you detect a break in long after it occurred, do you think that you still have to report it?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Congratulations, you’re now the CIO. Well, maybe not quite. You’re actually the interim CIO. What does this actually mean? What it means is that the company understands the importance of information technology and needs somebody to fill the role of CIO while they go looking for the person that they want to fill it permanently. They think that you are good enough to do the job right now, they just are not sure that they want you doing it for the long run. As you can well imagine, from a career point of view this is both good news and bad news.