SEC charges four companies with misleading cyber disclosures

(www.sec.gov)

81 points impish9208 | 4 comments | 22 Oct 24 16:56 UTC | HN request time: 2.533s | source

Show context

hn_throwaway_99 ◴[22 Oct 24 17:43 UTC] No.41916731[source]▶

>>41916246 (OP) #

It's amusing to me how the economic and cultural incentives at so many companies is to lie as much as possible when it comes to breach disclosures while pretending that you're still technically telling the truth.

I think that in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened, without any of the BS "the security of our customer data is our primary priority!" statements to begin with that always accompany these kinds of breach disclosures. E.g. something like:

On <date>, due to a vulnerability in the third party vendor SolarWinds which provides network security services for us, we detected the following breaches of customer data:

1. xxx

2. yyy

The steps we are currently taking, and what you should do: zzz.

----

Perhaps one good thing that can come out of this is that some sort of "standard" format for breach disclosures comes about (think the "Nutrition Facts" labels on food boxes in the US). All I do when I see companies trying to minimize breach disclosures is assume they're bullshitting anyway.

replies(3): >>41918007 #>>41918463 #>>41918586 #

1. SpicyLemonZest ◴[22 Oct 24 20:55 UTC] No.41918586[source]▶

>>41916731 #

I'm sympathetic, but I feel like the order against Mimecast illustrates a big part of the problem here. This seems to me like a pretty detailed disclosure:

> The investigation revealed that the threat actor accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack. We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service. We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products. We will continue to analyze and monitor our source code to protect against potential misuse.

But the SEC feels this was misleading, because they did not specify which source code repositories were targeted or what percentage of the code in those repositories was exfiltrated. That's the dynamic that drives these kind of disclosures, oversharing driving demands for even more absurd levels of oversharing. They had to go calculate that precisely 76% of their M365 interop code was exfiltrated - is that information worth the cost of producing it, or even valuable to anyone in any way?

replies(2): >>41919211 #>>41919270 #

2. Veserv ◴[22 Oct 24 22:05 UTC] No.41919211[source]▶

>>41918586 (TP) #

You do not need to say precisely 76%. Nobody is going to complain if you spend less resources to get a less strict upper bound like 80%. Hell, you can make it easy for yourself and just say 100%; costs nothing and guaranteed to not understate the customer impact. The problem is deceptively implying less customer impact.

But no company will deliberately overstate the customer impact, think of what it would do to their bottom lines. They much prefer spending a bunch of money to minimize overstating. Exactly.

If only they were allowed to understate customer impact then they could harvest even more of that reputational arbitrage is not a very compelling justification.

3. notatoad ◴[22 Oct 24 22:13 UTC] No.41919270[source]▶

>>41918586 (TP) #

>is that information worth the cost of producing it, or even valuable to anyone in any way?

It's valuable to the SEC, because they're the ones tasked with enforcing these rules and specifics are what allow for enforcement. If you publish an actual percentage, then they can ding you for lying if the percentage was wrong. being vague isn't misleading on its own, but it can be used to be misleading.

if they actually know what was exfiltrated, then putting specifics in the disclosure should be a trivial matter. maybe not a percentage of lines in the codebase, but you've got to give the SEC enough that they could potentially check it and determine if it was a lie. and "a limited number" isn't specific enough to do that.

replies(1): >>41919903 #

4. SpicyLemonZest ◴[22 Oct 24 23:42 UTC] No.41919903[source]▶

>>41919270 #

I don't agree that the Securities and Exchange Commission is tasked with enforcing good cybersecurity disclosures. You'll note that this settlement formally has to do with the companies' statements to investors, although I agree with the implicit assumption a lot of people upthread are making, that the charges would not have been filed if customer disclosures were adequate.

↑