Cyber Intrusions: Understanding Cyber Risk

Boards need to understand the new SEC regulations on cyber disclosures may impact how they oversee risk. 

The new US Securities and Exchange Commission (SEC) regulations on cyber-risk disclosure, managing cyber risk, and deciding if a breach is material increase the pressure on boards to understand the nature of cyber risks and what they entail. 

Cyber risk is a massive, detailed, and complex subject. To give an idea, CrowdStrike recently identified the 10 most common cyberattacks:

• Malware
• Denial of service
• Phishing 
• Spoofing
• Identity-based attacks
• Code injection attacks
• Supply chain attacks
• Insider threats
• Domain Name System tunneling
• Internet of Things-based attacks

Each one of these can be broken down further. Take malware, or malicious software. According to CrowdStrike, the most common types of attack include ransomware, worms, trojans, spyware, and bots. Additionally, there are currently 23 hardware and firmware vulnerabilities that can be exploited. This is a huge threat landscape to consider. However, there are certain characteristics that are shared among most forms of cyberattacks, such as:

• the degree of complexity,
• the difficulty in identifying the sender and purpose,
• the difficulty in identifying the start of the attack, and
• the difficulty of containment.

The Degree of Complexity 

Some attacks, such as a ransomware attack, may appear quite simple as the purpose and demands seem clear from the outset. However, a simple ransomware attack can be a decoy to plant other malware, even if the ransom is paid. More advanced attacks, known as advanced persistent threats (APTs), copy and corrupt data and systems while adapting to attempts to resist or destroy them. A polymorphic virus, a more sophisticated version of an APT, can create modified versions of itself and can alter its physical makeup during each infection by mutating its encryption codes, which makes it extremely difficult to detect.

The Difficulty in Identifying the Sender and Purpose

Most cyber criminals want to keep their identity a secret, especially if they are corrupting information, stealing data, or spying. Computer forensic experts have several tools they can use to identify attackers, such as packet sniffers, login monitoring, and URL scanners. They also learn the techniques and digital footprints of cyber criminals to help identify them and their organizations. Despite this, it is a constant battle to stay ahead of criminals. Not only is it difficult to identify them, but in many cases, it can be hard to determine the purpose of their attack. The more sophisticated APTs are like missiles; they have a delivery system, a payload, and an execution stage. For example, forensic investigators may only be able identify the delivery system but not the payload or execution. An investigator may know that the system has been breached but may not know why or even how.

The Difficulty in Identifying the Breach Date

In a 2023 security report, IBM Corp. reported that it took an average of 277 days, nearly nine months, for businesses to identify and contain a data breach. Marriott International and its subsidiaries took almost four years to discover a breach that it became aware of in 2018. The longer it takes to identify a breach, the more it will cost a company. Some cyber criminals use a technique called a zero-day exploit. This exploit takes advantage of security lapses in software, hardware, and firmware and attacks before the software and device manufacturers can patch the vulnerability. Criminals can then access the system for as long as it takes a company to discover their infiltration. This can take months or even years, and when it is discovered, the manufacturer has “zero days” to fix the vulnerability as the product has already been breached.

The Difficulty of Containment 

Computer viruses have been compared to biological viruses. Computer viruses, similar to biological ones, spread from host to host. They are capable of mutating to avoid detection. Computer viruses exploit weaknesses and vulnerabilities in unpatched systems, and they can gain access through unsecured networks and public USB charging ports. Like zero-day attacks, viruses can infect and remain in systems long before they are discovered which makes containment more difficult.

How to Approach Disclosure 

The SEC’s ruling requires companies to file a Form 8-K within four days after they decide a breach is material. On Dec. 14, 2023, Erik Gerding, director of the SEC’s Division of Corporation Finance, said in a statement (representing his personal views) that “ultimately it is the company’s responsibility to make a materiality determination based on consideration of all relevant facts and circumstances.” There are no special materiality tests for cyber breaches.

If you are a company that has just discovered an APT, even with the best consultants and chief information security officer, it is complicated to decide if the breach is material or not as its full effect could be triggered over weeks if not years.  At that point, one might not recognize that the virus could be devious, such as a polymorphic virus with all its permutations. The most conservative approach would be to assume that most breaches are material unless there is certainty about the circumstances.

One way to protect companies and their boards from unknowingly failing the materiality test, even before a breach, may be to include a general disclosure statement on cybersecurity risks in the risk factors section of their 10-Ks. Virtually every company discloses its exposure to cyber risk and attack, but firms generally do not discuss the unique characteristics of cyber-risk exposure. For instance, a separate but specific cyber-risk exposure disclosure could contain statements that, while the company at this stage is not aware of any cyber breaches, attacks, malicious software, or hardware, these could be present in any of the company’s systems (and those of its suppliers, customers, vendors, and contractors). When discovered, these could cause the company to suffer a material data breach. The disclosure could also describe that while a company and its consultants perform regular audits of its information systems security, it cannot audit its vendors, suppliers, and customers’ systems in the same way and monitor containment or the spread of malware.

Moreover, the new SEC disclosure on cybersecurity risk management strategy in the 10-K can also detail safeguards in place, such as zero-trust architecture, encryption, and multifactor authentication. The goal is for the company to give as much general disclosure information as it can to warn the public against unforeseen circumstances that may arise before the company can detect them as material during a cyber incident.