Cyberattacks a Sarbanes-Oxley Issue?

Cyberattacks a Sarbanes-Oxley Issue?
Cyberattacks a Sarbanes-Oxley Issue?

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

CSO Online
April 10, 2008

Kevin Coleman of Technolytics Institute says cyberattack concerns are 
starting to appear in SEC filings.

There's been a lot of attention paid recently to the threat cyber 
attacks pose to business, society and government.  And no wonder, with 
U.S. Air Force advertisements claiming the Pentagon is attacked three 
million times a day; the Computer Security Institute announcing that 
10,000 distributed DoS attacks occur around the world daily; or the 
estimate that as many as 80 million machines may have been compromised 
by the STORM software worm. Security and business professionals alike 
are increasingly concerned, and even Department of Homeland Security 
Chief Michael Chertoff says that the department has been increasing its 
anti-hacking efforts.  U.S. companies have been primary targets for 
cyber-attacks, and the frequency and sophistication of these attacks are 

Given the regularity of cyber attacks, they have now entered into the 
category of a foreseeable risk, which in legal terms is defined as a 
danger that a reasonable person should anticipate as the result of his 
or her actions or inaction.  In other words, a person or company that 
doesn't respond to a foreseeable risk could be found negligent if they 
depart from the conduct expected of a reasonably prudent person acting 
under similar circumstances.

All that said, business would be well advised to examine the threat of 
cyber attacks and update their business continuity/disaster recovery 
plans. But that's not what I see happening. It's true that businesses 
are changing their approach to cyber-attacks, utilizing both traditional 
means, such as increased risk assessment and training, and 
nontraditional means, like hiring hackers to probe corporate security, 
as well as looking to the federal government for guidance.

However, in a recent presentation I gave to approximately 100 
professionals representing nearly 70 businesses in New York, an informal 
poll of the audience showed that no one has considered a cyber attack in 
their contingency plans.  On further polling, I found that only 4% had 
even heard about the cyber attack that last summer disrupted Estonia's 
infrastructure and banking operations, to the point that the country had 
to shut down key computer systems.

Given a document I stumbled across in January, cyber attacks may have 
also become a Sarbanes-Oxley issue.  A 10Q filed by Respironics, Inc., a 
medical devices manufacturer in Murrysville, Pa., recently acquired by 
Royal Philips Electronics, came up on a Google search for "cyber 
attack." On page 15, the term "cyber-attack" is identified as a factor 
that could cause the company's actual financial results to differ 
materially from the expected results included in the forward-looking 

Historically we have only seen a few high-tech companies identify 
cyber-attack as a risk. Given that Respironics' business is not related 
to information technology or the Internet, it clearly indicates the 
growing business concerns surrounding the threat of cyber attacks.

All this said, given the media attention to this emerging threat, it 
would be difficult to defend against claims of negligence if a business 
experienced a cyber attack that had significant financial implications. 
Corporate governance today requires effective internal controls, and it 
depends on the integrity of information within the organization, as well 
as the identification and management of risks that could potentially 
impact financial performance.  Today more than ever, an organization's 
reputation, brand image and financial results all depend on the 
integrity and availability of its computer systems.

It's up to business and security executives to answer the question, How 
would our company operate without the Internet for one hour, one day or 
one week? The response of one corporate executive I talked to who asked 
not to be identified was pretty frank: "I don't want to even think about 
the disruption and financial implication of the Internet going away for 
a day." What about you? ##


Kevin G. Coleman is a fifteen year veteran of the computer industry. A 
Kellogg School of Management Executive Scholar, he was the former Chief 
strategist of Netscape. Now he is a Senior Fellow and International 
Strategic Management Consultant with the Technolytics Institute an 
executive think-tank. For six years he served on the Science and 
Technology advisory board for the Johns Hopkins University - Applied 
Physics Lab, one of the leading research institutions in the United 
States and served for four years on the University of Pittsburgh Medical 
Centers Limbaugh Entrepreneurial Center's Advisory Board. He has 
published over sixty articles covering security and defense related 
matters including UnRestricted Warfare and Cyber Warfare & Weapons. In 
addition he has testified before the U.S. Congress on Cyber Security and 
is a regular speaker at security industry events and the Global 
Intelligence Summit.

=C2=A9 CXO Media Inc.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods