Over the last five years, there has been a marked shift in how businesses view cybersecurity. As evidence, cybersecurity spending has soared. Gartner predicts 2016 will see worldwide information security spending reach $81.6 billion (7.9 percent over the record-breaking 2015 figure), and Cybersecurity Ventures projects $1 trillion will be spent globally on cybersecurity from next year to 2021
Embarrassing and costly data breaches have been a hazard of business since the rise of the internet, and many government and industry regulations have carried fees for non-compliance since their inception.
So what’s changed to bring cybersecurity out of the basement and into the board room?
Cybersecurity Impacting Stocks, Mergers and Acquisitions
Two recent incidents have taken cybersecurity into new territory and illuminate the shift in business perception of cybersecurity.
In August, the cybersecurity firm MedSec used its knowledge of an undisclosed vulnerability in a medical device to short sell the stock of its manufacturer, St. Jude Medical. On August 25, 2016 MedSec’s investment firm released the report on the attack risks to the medical device, resulting in a five-percent drop in St. Jude’s stock. The loss combined with the potentially life-threatening device vulnerability threatened to put the manufacturer’s $25 billion sale to Abbott Laboratories in jeopardy.
While St. Jude’s stock has rebounded, it is still below pre-August 25 levels. It has since taken legal action against MedSec and their investment firm.
Similarly, when news broke September 23 that (at least) 500 million Yahoo user credentials were stolen in a breach undetected since 2014, Yahoo’s sale to Verizon Communications came into question. The $4.8 billion cash sale of Yahoo’s core business is still in early stages, and Verizon could the largest hack of a single company as leverage.
According to a “New York Times” interview, Boston College Law School Professor Brian Quinn said Verizon could call off the deal entirely by contending “certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld information,” thus violating the merger agreement. Quinn argues it’s more likely, though, that Verizon will use the incident to renegotiate terms more favorable to them.
Yahoo’s alleged secret scanning of customer email data for U.S. intelligence could be another cybersecurity issue used to stir the pot of the merger.
Regulations Get Teeth
The General Data Protection Act (GDPR) should be on the minds of everyone doing business in the European Union. The legislation will give citizens more confidence over their personal information, and make companies responsible for keeping their data secure. It lays out mandatory and timely data breach reporting, extends the definition of personal data and enshrines the “right to be forgotten in law.
GDPR won’t be in effect until May of 2018, but organizations are already scrambling to understand and implement the necessary changes before that date hits. One reason for this is GDPR will dramatically increase penalties for non-compliance, with fines of up to €20 million (or four percent of turnover) – significantly higher than the €750,000 penalty under the current Data Protection Directive.
Closer to home, New York State has proposed cybersecurity regulations aimed at guarding consumer data and financial systems from cyberattacks. The regulations would require all banks and insurance companies operating in the state to designate a CISO, adopt written cybersecurity policies and implement annual penetration tests, among other seemingly basic requirements.
Notably, under the proposed regulations, board or senior compliance officers would need to certify their organization’s security controls are meeting requirements. This could potentially expose such individuals up to criminal liability if the claim is found fraudulent.
You Have My Attention (and Budget Carte Blanche)
Executives and board members pay attention when their jobs, companies and tens of billions of dollars are at stake.
While overall cybersecurity spending is on the rise, certain organizations aren’t putting a cap on how far. This year, Bank of America has implemented a “whatever it takes” approach to thwarting attacks, giving unlimited budget to its cybersecurity business unit.
While there will surely be scrutiny to the effectiveness and ROI of how such (non) budgets are spent, it’s the C-suite has gotten the message. Lax security practices don’t just mean embarrassing headlines and lost customer confidence. The consequences have become much more tangible and outlined in terms non-security professionals can understand – usually with a dollar sign in front of it.