Cyber Risk and Advanced Persistent Threats
All public companies must file an annual report as required by the Securities and Exchange Commission (SEC) giving a comprehensive summary of a company's performance. This document, called the 10-K includes information such as company history, organizational structure, executive compensation, equity, subsidiaries, and audited financial statements, among other information. Investors who may decide to purchase equity in the company as stock use this information.
More specifically, the 10-K contains a section 1a called Risk Factors. Here, the company lays out anything that could go wrong, likely external effects, possible future failures to meet obligations, and other risks disclosed to adequately warn current and potential investors. Examples of risks identified might include: disruption of capital markets, natural disasters, legislative and regulatory actions, or other macro economic conditions.
Understanding Cyber Business Risks in the 10-K
On October 13, 2011, In recognition of the fact that nearly all public companies interact with customers or suppliers on-line, store digital documents and rely heavily on information technology, the SEC issued new guidance for completing the risk factors section of the 10-K.
"For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents. As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant's specific facts and circumstances."
The SEC also mentions that cyber attacks can be in the form of a denial-of-service or may be carried out through highly sophisticated efforts to electronically circumvent network security using social engineering to gain access sensitive data.
'Unknown Threats' and Mitigation Strategies
Among the examples of appropriate disclosures for SEC compliance, the SEC lists "Risks related to cyber incidents that may remain undetected for an extended period." This is a direct reference to 'unknown threats' from malicious insiders or malware left behind by advanced persistent attackers.
In the risk factors section of the 10-K, many companies also list ways that particular risks can be mitigated. Using Splunk to monitor 'weak-signals' in massive amounts normal user data for abnormal events is a mitigation strategy for unknown threats from malware that could go undiscovered for long periods of time.