Incident non-disclosure amounts to hiding facts from shareholders

It’s time Indian regulators recognize security incidents as a business risk, and make it mandatory for organizations to disclose risks and incidents.

In early 2011, 100 BPO firms surveyed in Gurgaon acknowledged of having been victims of cybercrime —70% of these had not filed a report. According to Minister of State Sachin Pilot’s disclosure, 171 government websites were hacked in the first half of 2011. NCRB (2010) reported that cybercrime is up 89.9% over the previous year. These statistics say a lot, but the affected organizations are not talking.

Indian corporations have a mandatory requirement to publicly announce incidents that may affect their working, but regulators are yet to recognize security incidents as a business risk. Incidents like data leaks, laptop loss and virus attacks cause business loss, but are unreported.

Incident recovery costs can run into millions and this (unavoidable) non-budget expenditure, has to be spent on:

  • Internal team effort and system downtime
  • Security and forensics consulting fees
  • Purchase new equipment
  • Staff augmentation
  • Public relations/legal costs
  • Regulatory penalties

Shareholders are clueless, as recovery costs are hidden by creative accounting. Intangible costs are overlooked, the disaster is hidden, and no annual report makes any financial or risk disclosure. So the organization got hit by a criminal, and then engaged in a criminal act themselves… whither governance.

Recently the US Securities and Exchange Commission (SEC) issued its guidance to corporate entities to report security incidents and breaches. The Indian Government can follow suit with appropriate amendments to the IT Act and associated legislation. Statutory bodies like SEBI, RoC, DoT, ICAI, Stock Exchanges must take the lead by requiring listed companies to disclose security breaches. This will be a positive step in the direction of better governance practices in listed companies.

Organizations that recognize the responsibility to their investors must include, at the least, the following practices as part of corporate governance and accounting practices. This will demonstrate responsibility towards stakeholders:

  • Make appropriate disclosure if and when there is a security breach, compromise, theft of organization assets or any malicious incident, in respect of:

                    >> Remediation and recovery costs as a separate item in the financial statements
                    >> Liabilities due to penalties as a result of the breach
                    >> Tangible and intangible losses that must be followed to closure

  • Include a section on information security, management and technology in the annual report. This should inform stakeholders about the organization’s preparedness/readiness.
  • Provide information about the level of security and practices in the organization
  • List those technology and security risks that may affect corporate financial goals
  • Provide information about the security breach and response measures
  • Enable proactive and preventive security practices in the organization

Organizations cannot escape the fact that technology is not just a business enabler but a critical function, and anyone running their business without adequate security controls is looking for trouble. Regulatory bodies and investor protection organizations must push for mandatory disclosure of security incidents and provide guidance for accounting and communication practices. This is essential to ensure that stakeholders are not short-changed, and organizations do not (inadvertently) engage in dubious accounting and cover up practices. the author: Dinesh Bareja, CISA, CISM, ITIL, is an information security consultant specializing in strategic and customized IS solutions, MSS, SOCs, PCI, ISMS, ITSM and more. He is currently a VP (Information Security) with Grid Infocom. Bareja is involved in training and conducts regular online mentoring sessions, as well as maintains for InfoSec certifications. You can connect with him at [email protected].

Read more on Data breach incident management and recovery