with Aaron Schaffer

Many publicly traded companies are leaving investors in the dark on important cybersecurity risks, a new report suggests. That includes vulnerabilities like the ones that allowed Russian hackers to exploit SolarWinds and other firms to infiltrate nine federal agencies and at least 100 companies.

The study's authors found that many publicly traded companies fail to provide investors with some of the most basic information required by the Securities and Exchange Commission. Instead, many companies rely on boilerplate legal statements like “[c]yber-attacks could have a disruptive effect on our business,” an analysis of annual and quarterly reports for publicly traded organizations showed.

That tells investors nothing about how a company would handle the growing threat of ransomware attacks or hackers exploiting vulnerabilities in a third-party supplier, explains Kevin Gronberg, vice president of policy and government affairs at SecurityScorecard. 

SecurityScorecard commissioned the report alongside the nonprofit Cyber Threat Alliance, the National Association of Corporate Directors, software company Diligent and analytics company IHS Markit.

“We're not looking for companies to give a road map to the crown jewels, but we are looking for more granular [details] and more candor in their annual reports with regard to the cyber risk that they are facing,” says Gronberg.

The report focuses on concerns with how firms are interpreting SEC guidance.

With some exceptions in the finance and health industries, most  American companies are not required to report breaches to the government or customers. 

However, the SEC issued guidance in 2018 that publicly traded companies should disclose material cybersecurity risks and incidents in a timely fashion to investors, weighing factors such as financial risk to investors and the importance of any compromised information. The guidelines say that companies should report such risks periodically.

That's a far cry from what most publicly traded companies are actually doing, the report found. In 2020, only 17 percent of Fortune 100 companies disclosed management-level cyber-related issues to the board or relevant board committees at a “frequency of at least annually or quarterly, the report says.

The report's authors say “current disclosure regulations are adequate,” but private companies need to provide more detail to meet the SEC guidance. The report recommends voluntary steps such as regularizing internal reporting and making that a part of disclosures to the SEC.

Capitol Hill wants to take a more hands-on approach.

House members last week said they had plans to introduce legislation that would involve mandatory breach and cybersecurity incident reporting to both the government and customers, depending on the incident. 

Big name cybersecurity players including Microsoft, FireEye and CrowdStrike tell Congress they support the idea of incident reporting legislation.

The report doesn't weigh in on mandatory disclosures to the government, but its authors hope the problems it outlines could be helpful in informing the current debate.

We have to have a better understanding of what we're talking about when we disclose things, says Gronberg. Without being able to measure something, you can't get better at it. And if the government is going to require disclosures, disclosures without being actionable are meaningless."

Other legislation could be waiting in the wings.

A bipartisan group of lawmakers introduced 2019 legislation requiring SEC-registered companies to disclose the level of cybersecurity expertise on their boards. Gronberg says he spoke with bill co-sponsor Rep. Jim Himes's (D-Conn.) office about the report and believes there's a chance the bill would be reintroduced in the coming weeks. Himes's office did not return a request for comment.

A Biden SEC could also weigh in.

The division of the SEC dedicated to compliance and risk investigations this week named cybersecurity compliance areas including threat management, incident response, and third-party vendor management a top priority for 2021. That means that more guidance on reporting could be forthcoming.

The keys

FireEye identifies 40 new victims of hackers exploiting of Microsoft Exchange.

The newly disclosed victims include U.S.-based retailers, local governments, a university and an engineering firm, FireEye researchers said in a statement.

Microsoft and cybersecurity companies announced the hacking campaign earlier this week, attributing it to a group with Chinese ties. The group, Hafnium, targeted infectious-disease researchers, law firms, universities, defense contractors and nongovernmental organizations.

The Cybersecurity and Infrastructure Security Agency urged all users of the affected Microsoft software to patch the vulnerability this week and required federal agencies to disconnect or patch off any devices until they were secured. It's still unclear if any federal agencies were compromised.

FireEye began seeing the problem at Microsof  as early as January. In addition to the activity seen by Microsoft, FireEye says that it has seen new clusters of activity from unnamed groups.

A government watchdog found that the Defense Department did not enforce cybersecurity requirements for weapons contracts.

Some contracts that the Government Accountability Office looked at didn’t have any cybersecurity requirements when they were awarded, Bloomberg News’s Alyza Sebenius reports

“Some contracts we reviewed had no cybersecurity requirements when they were awarded, with vague requirements added later,” the GAO said, noting in the report that “DOD and contractor officials told us that contracting for cybersecurity requirements is a general challenge.”

“Until they can get detailed requirements into the contracts it’s still going to be a challenge to ensure that you’re getting robust cybersecurity,” Bill Russell, a director in the GAO’s contracting and national security acquisitions team, told Sebenius. 

The GAO said in the report that the Pentagon had made some cybersecurity progress since 2018.

The Senate is working on a $30 billion bill to boost the chip industry.

The bill, which is being drafted by Senate Majority Leader Charles E. Schumer (D-N.Y.), comes amid a growing global shortage of the technology, Reuters’s Alexandra Alper reports

Lawmakers have rallied for funding for U.S. chip makers as both a means of increasing production and providing a secure alternative to chips made by tech-rival China.

Biden last month issued a 100-day government review into potential vulnerabilities in the U.S. supply chain for critical items, including chips used by manufacturers including the automobile industry. 

Hill happenings

Members of Congress want regulators to crack down on fertility-tracking apps that share personal information.

Senate Foreign Relations Committee Chairman Robert Menendez (D-N.J.) and Reps. Bonnie Watson Coleman (D-N.J.) and Mikie Sherrill (D-N.J.) told acting Federal Trade Commission chairwoman Rebecca Kelly Slaughter that the commission should take enforcement action on menstruation-tracking apps that have had data breaches or have improperly shared personal data. The letter comes after mounting media reports that popular fertility and menstruation-tracking apps have shared data without getting consent from users.

Cyber insecurity

Hackers compromised at least four major hacking forums.

Hackers say they were able to get user data from two of the sites, where elite cyber criminals communicate and offer their services, Krebs on Security’s Brian Krebs reports

Internet-messaging identifiers were leaked online, potentially allowing researchers to tie accounts on various sites to one another. The timing has users of the elite hacking forums concerned that foreign intelligence agencies plundered the data.

“Only intelligence services or people who know where the servers are located can pull off things like that,” one user of the Exploit forum said. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”

Global cyberspace

Russian hackers used Lithuanian networks to attack coronavirus vaccine developers, the country’s intelligence agency said.

A Russian hacking group known as Cozy Bear used Lithuanian IT infrastructure to launch cyberattacks on developers of coronavirus vaccines abroad, according to the NATO country’s annual threat assessment. The report also said that it is likely that Russia and other adversaries have shifted to using cyberattacks as their primary way to gather intelligence amid the coronavirus pandemic and prevalence of remote work.

The report also suggested that foreign adversaries are using ransomware hacking groups to destabilize their target countries by going after groups that are working on managing the pandemic. Hackers linked to Russian intelligence also targeted “high-ranking decision-makers” in the country last year, according to the report.

Daybook

  • Anne Neuberger, the deputy national security adviser for cyber and emerging technology, delivers a keynote address at the annual ICS Security Summit today at 9 a.m.
  • Wiktor Staniecki, the deputy head of the security and defense division of the European Union’s foreign policy arm, speaks at an event on American and European cyber policy hosted by The German Marshall Fund of the United States today at 10:30 a.m. 
  • House Armed Services Committee Chairman Adam Smith (D-Wash.) speaks at an event hosted by the Brookings Institution today at 11 a.m.
  • Duke University’s engineering school hosts a seminar on cybersecurity threats amid remote work today at noon.
  • Rep. Jim Langevin (D-R.I.), the chair of the House Armed Services Committee’s cyber panel; Eric Goldstein, the Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity; and Debra Jordan, the deputy chief of the Federal Communications Commission’s homeland security bureau, speak at an event hosted by the Center for Strategic and International Studies on March 9 at 11 a.m. 
  • The Aspen Institute hosts an event on international Internet blackouts on March 9 at noon.
  • U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on March 10 at 4:30 p.m.

Chat room

A viral TikTok on a purported vulnerability in popular grading software was quickly debunked. University of Michigan professor J. Alex Halderman:

NBC News's Kevin Collier:

Biden campaign engineering director Matt Hodges:

Secure log off