From: Financial News
Simon Bushell and Gail Crawford
In 2012, the director general of MI5 revealed that a London-listed company had lost £800 million as a result of a state-backed cyber attack. The company in question has not been publicly identified and no disclosures were made to the market. Why was the market not notified?
That question is one that is likely to gain in importance. In a sign of how seriously the authorities are taking the threat, the Bank of England last month published a report on an exercise carried out last year to test the response of the banking sector and the financial markets to a simulated cyber attack by a hostile foreign state.
The threat is not just theoretical. The UK’s Department for Business, Innovation and Skills reported in April last year that 93% of large organisations surveyed had experienced a security breach, yet we have few examples of any listed companies making a market disclosure.
In the US, disclosure of data breaches to customers (and therefore the public) is frequent – driven by state-level reporting rules for breaches of personal data security – and this has resulted in complacency among individuals who receive frequent notifications. In addition, the US Securities and Exchange Commission has issued guidance to US-listed companies about how and when they must report cyber security issues, although companies are reticent when it comes to reporting breaches in any great detail.
Leave a Reply