Accountability for cybersecurity has been climbing the corporate ladder. It used to step on the IT people. Then corporate boards started taking notice and holding executive management responsible. Now Equifax has fired CEO Rick Smith following one of the worst cyber breaches ever.
The board apparently felt Equifax’s cybersecurity itself was weak. It took too long for the company to go public about the breach. The magnitude of the stolen data exposes the company to risk that’s hard to calculate. Several published accounts described how Smith drove the company from a simple credit bureau to a data powerhouse. It also became a big, soft target. (Get it? Target!)
Federal agency heads are also accountable nowadays. In 2015, Office of Personnel Management Director Katherine Archuleta was forced out after the Great OPM breach. Donna Seymour, the chief information officer at the time, also resigned.
Yesterday, Securities and Exchange Commission Chairman Jay Clayton talked about cyber to the Senate Banking, Housing and Urban Affairs Committee. The extent and impact of the SEC’s breach is still coming into focus. The breach of its EDGAR system occurred in 2016, before Clayton came to the SEC. It came to light during a cybersecurity review Clayton himself initiated. Still, senators, including committee Chairman Mike Crapo (R-Idaho) put the SEC on notice.
Why? Because the SEC is at work on a new system. The controversial Consolidated Audit Trail will let auditors track “all trading activity in the U.S. equity and options market.” (emphasis mine). It’s so big, SEC established an LLC to run it. Heads of the exchanges signed the memorandum of agreement with CAT NMS. The NMS stands for National Markets System.
So a massive database will be the child of a federal agency, a contractor, a Delaware LLC, and more than a dozen exchanges. You can throw in the Financial Industry Regulatory Authority. As Crapo points out, this database will have information on millions of traders, where they live, their Social Security Numbers. To say nothing of their financial lives.
You’ve heard it a thousand times. Cybersecurity has to be built into systems, not tacked on. If ever the government had a chance to build it in, CAT is it.
Two other lessons for the buck-stops-here crowd:
First, go public with breaches as soon as you can. Otherwise, it looks like you’re covering up. Crappy cyber practices eventually come to light anyhow. You don’t need a $5,000 a day crisis management expert to tell you that.
Second, realize that bad cybersecurity is as inimical to your job as crashing the mission.