←back to thread

SEC charges four companies with misleading cyber disclosures

(www.sec.gov)
81 points impish9208 | 2 comments | 22 Oct 24 16:56 UTC | HN request time: 0.404s | source
Show context
MattSteelblade ◴[22 Oct 24 18:14 UTC] No.41917058[source]
> Unisys will pay a $4 million civil penalty;

> Avaya. will pay a $1 million civil penalty;

> Check Point will pay a $995,000 civil penalty; and

> Mimecast will pay a $990,000 civil penalty.

With the exception of Mimecast, these are companies that are bringing in billions of dollars in revenue annually. How is this supposed to deter them?

replies(7): >>41917158 #>>41917164 #>>41917717 #>>41917985 #>>41918127 #>>41918370 #>>41918473 #
teeray ◴[22 Oct 24 19:48 UTC] No.41917985[source]
The law should be written to require a mandatory percentage of revenue. That will wake them up.
replies(2): >>41918203 #>>41918479 #
kmeisthax ◴[22 Oct 24 20:13 UTC] No.41918203[source]
It will not.

The reason why companies get breached is because the systems being breached are all legacy. Company A buys company B who bought company C, which merged with company D. C fires D's old IT department, because it's redundant, so now D's billing system is being managed by C's IT department. C then sells itself to B, who has a much more robust billing system. At this point, it'd make sense to replace the billing system from D, but everyone who knew how it worked got fired in the C/D merger. So it sits around because nobody wants to break that part of the business. Then A buys B and does another round of layoffs, so anyone who even knew about this is gone.

Ten years and hundreds of iterations of this exact cycle later, you get an e-mail from a stranger saying they found all your customer records being sold on a cybercrime forum. Your IT department scrambles to remediate a breach in a system they've never heard of that nobody remembers installing or maintaining. It's just always been there. Corporate amnesia runs deep. People are finding forgotten old servers running unpatched versions of Windows Server 2003 that were so ritualistically overlooked you'd need to be high on Class Z mnestics just to perceive them.

Every enterprise IT department is like this. That's why companies get breached so damned often. There is never enough time in the budget to properly document legacy systems, nor are the decision-makers at the top even aware of the fact that they exist. Their job is to eat things, and they eat voraciously. If you want to stop this from happening, you need to make M&A illegal, not just inflict more pain to the invisible arms the corporate body cannot perceive pain from.

replies(3): >>41918340 #>>41918386 #>>41919709 #
akira2501 ◴[22 Oct 24 20:29 UTC] No.41918386[source]
> Every enterprise IT department is like this.

That's because it's not understood what a liability allowing this to occur is. Perhaps if we fine them based on revenue they would understand that IT is a core part of their company and can no longer live on the edges of the business units.

replies(1): >>41922772 #
1. jjav ◴[23 Oct 24 07:46 UTC] No.41922772[source]
> That's because it's not understood what a liability allowing this to occur is.

No, it's because they understand what the liability of allowing this is (minimal and inconsequential). So why bother?

replies(1): >>41923297 #
2. akira2501 ◴[23 Oct 24 09:17 UTC] No.41923297[source]
Clearly not everyone agrees with you that it is minimal and inconsequential. Perhaps you are lucky enough to not have anything vital of yours disclosed without your knowledge or consent.