As discussed previously on Rambus Press, Internet of Things (IoT) devices typically have a number of vulnerabilities. Indeed, a United States Department of Defense report found that there is little to no incentive for IoT device manufacturers to implement more stringent security countermeasures into their products.
While the European Union Agency for Network and Information Security (ENISA) has outlined IoT security problems and possible steps to address them (see Baseline Security Recommendations for IoT), the United States government is adopting a similar measure. The Securities and Exchange Commission (SEC) issued guidelines on their own, calling for public companies to be more forthcoming when disclosing security risks, even before a breach or attack happens.
What the Guidance is For
The guidance was issued as an “interpretive release,” which the SEC use to publish their views and interpret federal securities laws and SEC regulations. Within the guidance, the commission urged companies to develop policies that allow them to quickly assess cybersecurity risks and decide when to inform the public of them. This is not the first time the SEC has published guidance related to cybersecurity. In 2011, its Division of Corporation Finance first published guidance about disclosing cybersecurity risks and incidents, which was necessary at the time because there were no disclosure requirements regarding cybersecurity issues at all. The last seven years have seen an increasing number of cyberattacks, which necessitated a new guidance.
The new guidance was released in February, 2018, five months after a massive Equifax data breach, where the information of 145.5 million people was compromised. The credit bureau was criticized for being too slow to inform their users about the incident. Moreover, the Department of Justice is looking into large sales of shares during the period between the breach and when it became public.
The SEC’s guidance added that while it does not suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts, such as providing a “roadmap” for those who seek to penetrate a company’s security protections, it nevertheless expects companies to disclose cybersecurity risks and incidents that are material to investors.
“We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident, which can often be very lengthy, would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident,” the guidance stated. In other words, internal or law enforcement investigations cannot be used as an excuse for failing to inform investors and the public about cybersecurity vulnerabilities.
Skepticism from Democratic Commissioners
While Jay Clayton (who chairs the SEC) believes that the measures proposed by the 2018 guidance will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, the two Democratic Commissioners on the SEC, Kara Stein and Robert J. Jackson, believe the guidance does not go far enough.
Stein said many public companies still provide disclosures about cybersecurity risks that are “far from robust.” On the other hand, Jackson supports the guidance, albeit reluctantly. He hopes that the guidance “will be the first step toward defeating those who would use technology to threaten our economy.” Urging caution, he stated that the guidance “essentially reiterates years-old staff-level views on this issue. But economists all of stripes agree that much more needs to be done.”
It is without question that IoT devices are lacking in security and that action must be taken ensure that future developments of the industry will not be as vulnerable to exploits and attacks. The SEC, having issued an earlier guidance in 2011 about cybersecurity, has drafted a more detailed guidance to address cybersecurity risks more quickly.
Moreover, it hopes to hold corporate insiders more accountable, by preventing them from trading shares during critical periods where exploits are unknown, and by demanding information to be provided to the public as soon as possible. Some on the commission are skeptical, believing it does not go far enough, or that it is a repeat of earlier guidances. At least, in Jackson’s case, there is hope that the guidance could lead to something more comprehensive.