With the amount of commerce conducted through networks increasing exponentially each year, the importance of implementing robust cybersecurity polices is as critical as ever. Just last month, the Congressional Research Service released its paper about cybersecurity information sharing and how this helps companies decrease preventable breaches. Coupled with industry research, the paper is a must-read for industry leaders of any business dealing with Internet-based transactions.
How Security Breaches Impact the U.S. and World Financially
The Center for Strategic International Studies places cybercrime between $375 and $575 billion globally per year. This estimate takes into account hundreds of millions of people who have had personally identifiable information (PII) stolen, plus damages incurred by companies and the global economy. The 2014 Ponemon Institute Cost of Cyber Crime Study calculated an average increase for cybercrime cost for U.S. companies of 9% from 2013 to 2014. These numbers are only expected to grow.
Cybersecurity Information Sharing
Information sharing about new threats, best practices and industry trends is beneficial:
- Small businesses can prepare for and protect against attacks.
- Information sharing can positively impact the reputation of a company in the industry. Having a reputation as a solid corporate citizen will encourage other companies to do the same.
- Money saved on security development may be diverted to other security measures or company needs, thus preventing duplication of work.
Corporations Hesitant to Share Information
Companies have shown a reluctance to share information due to concern about violating privacy and antitrust laws. The government recognizes these concerns and “provided guidance that will not consider generally accepted cybersecurity information sharing to be anticompetitive behavior.” (Congressional Research Service paper, P.4)
Additionally, concerns exist regarding decreasing sales numbers and falling stock prices. Companies hit by data breaches have experienced mixed stock results: some saw increasing stock prices within a three-month period post-breach, occurred, while others saw stock prices plummet during the same period.
Methods for Sharing Cybersecurity Information
Publicly traded companies are required by the SEC to reveal information with “substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” It is important to note that neither the SEC nor courts have mandated when companies need to announce such information.
The Information Sharing and Analysis Center (ISACs) program was enacted in 1998 so that private sector, nonprofit member entities could collect, analyze and share information. ISAC groups exist for different industries, and they share information anonymously with government and other ISAC group members. Membership cost is dependent on a company’s desired membership level.
Congress has attempted to pass legislation to give companies incentives for information sharing. Three bills have unsuccessfully been introduced during 113th Congress.
- Increasing cybercrime has resulted in billions of dollars lost in the global economy.
- It behooves companies to share cyber crime information to prevent future attacks, reduce expenses and build a positive industry reputation.
- ISACs provides means of sharing information anonymously with the government and other industry players.