There is a quiet revolution occurring in how we evaluate whether companies can be trusted. After all, whether buying widgets or the securities of a company, the purchase decision involves a calculation of confidence that we will get what we believe we are purchasing. Indeed, much of the modern legal framework regulates what information is required to be disclosed to make the commercial transaction acceptable: financial statements, food product content, drug warning labels, new car purchase stickers, contractual warranties, etc. All of these exist to enable informed decisions, but somehow we have made little progress in terms of our ability-as consumers-to obtain insights as to the digital trust a seller or supplier can demonstrate.
Whether looking to make stock investments or obtain Internet-based services from “cloud providers”, a growing momentum exists to demand increased transparency regarding how well companies manage their digital infrastructure. On different fronts, companies are facing new formal legal requirements and the pressure of voluntary compliance with mechanisms to report and disclose information about how they create and manage their information systems.
Public Company Disclosures
In October, 2011, the U.S. Securities and Exchange Commission published a Guidance on the obligations of registered companies to disclose cybersecurity risks and cyber incidents. The Guidance is available here. The Guidance examines different types of disclosures that are to be made in order that a reasonable investor making an investment decision does not rely on disclosures which would be otherwise misleading. Here are some examples:
· If an investment would be speculative or risky because of the risk of cyber incidents, those risks should be disclosed if they would be among the significant risk factors. Risk factors that are disclosed need to describe the nature of the risks and their impact on the company.
· Actual cyber incidents that have a material impact on the company (an example given by the SEC is a cyber attack embedding malware that compromises customer data) may also require disclosure.
· The financial impact of specific attacks may also require discussion in the “Management’s Discussion and Analysis”.
· Material pending legal proceedings involving a cyber incident may be appropriate for disclosure.
· Financial statements can take into account both investments in prevent cyber incidents, as well as their impact on diminished cash flows, customer goodwill, and customer-related intangible assets.
There is no question that this guidance will provoke considerable discussions in corporate board rooms regarding whether any real cyber security risks exist. But the SEC has taken an important step forward—it has empowered investors to have (a) a legitimate basis of inquiry regarding the information systems of a company, and (b) a basis to ask questions regarding the security and integrity with which those systems are maintained which are no different in their value to the investment decision than questions regarding the physical facilities, human resources, intellectual property, and other assets of a company.
In doing so, the SEC has also put into motion a further dimension of the dialogue that occurs between public companies and their service providers regarding cyber security and cyber incidents. Now, addressing information security, system security risks, and the security controls that are required by commercial contracts is no longer a discretionary item. Far too often, these topics are minimized in the contracting process, addressed with general, non-binding language, or avoided completely.
Now, the public companies have the incentive to demand a quality of security across their entire operations (including those that engage cloud-based service providers) that enables (a) material cyber risks and the potential for adverse incidents to be controlled (thereby avoiding the public disclosure of those risks), and (b) remedial and corrective action plans to be in place to assure that any incident, if it does occur, is less likely to create a reportable event.
Disclosing Cybersecurity Controls
The Cloud Security Alliance (CSA) has taken a different, and perhaps more influential step. Many lawyers and information security managers have been frustrated by the inflexibility of cloud service providers in addressing security concerns substantively in the related commercial contracts. Often, the service providers, whether providing software, platform, or infrastructure as a service, oppose making contractual undertakings that enable their customers better confidence the customers are able to meet increasingly complex legal rules for maintaining information security controls.
CAS has announced a free and publicly accessible registry that allows service providers to file and document the security controls they offer. The service is called the Security, Trust and Assurance Registry (STAR). Detailed information on STAR is available here. The service was launched with the initial filings of Google, Microsoft, Verizon, Intel and McAfee. Vendors may submit either one of two types of reports, each of which requires detailed disclosures regarding their security practices, and the alignment of those practices with published CSA best practices.
STAR is an important innovation because it sets a standard of care in place for how vendors earn the confidence and trust of their customers, as well as the larger ecosystem a specific customer may support. For example, ABC Manufacturing selects Vendor X to host in the cloud various services that provide data and reporting on 6,500 distributors of ABC products. Those distributors now have greater visibility into the security controls that enable the data services, and in turn, should have better ability to address their own compliance mandates.
Clearly, competitive advantage is going to be realized by those who understand, and do not try to deny, the importance of transparency. Those vendors who decline to participate face two new hurdles. First, customers will make competitive peer-to-peer comparisons between vendors who participate in STAR and those that do not. Second, the SEC guidance, which will surely be copied over time by other national agencies, creates regulatory demands that make it difficult for any public company (or their providers) to do business with a cloud vendor that cannot offer the transparency required to document cyber incident risks are controlled and not reportable.
Where does this lead?
As consumers and customers, and as vendors and sellers, all of us see both sides of the process through which trust is secured that enables a transaction to be executed. Working for our company, we often try to secure the sale with our smiles, great pricing, and advertising. But, in the evening, as consumers and investors, we aggressively investigate any seller, blowing past smiles, pricing and advertising to seek knowledge that informs our decision: crowd-sourcing (such as eBay merchant evaluations), investment analyses, product reviews, etc. It is an essential truth in an open, competitive digital market that the vendor that does not provide comparable information, both in the types of information and quality, will be dis-favored by the consumer.
Technology enables transparency, but it also enables us to express and incorporate into our purchasing our own criteria and preferences. There is no barrier today that precludes customers from demanding transparency on security controls, as well as the effectiveness of those controls. Nor is there any barrier to expanding the criteria on which we seek information until, for any single transaction, we reach a point of indifference. I believe this drive toward transparency will continue and gain momentum across a much larger catalog of criteria than security controls. Each additional object of information allows us to lower our risk that a decision to trust a vendor is subsequently voided by performance failures on which we could have asked better questions.
Companies must anticipate this level of disclosure and build into their system designs the expectation that their controls, their performance, and their failings, will be reportable events, not just internally but to external audiences (such as regulators or customers). It will no longer be sufficient to offer that “we employ commercially reasonable information security procedures”; instead, transparency will be competitively required to enable the trust decisions a customer must make.