Christopher Bing and others writing for Reuters:
A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry.
“I’ve never seen anything like this,” said a consultant who works with dozens of publicly traded companies that recently received the request. “What companies are concerned about is they don’t know how the SEC will use this information. And most companies have had unreported breaches since then.” The consultant spoke on condition of anonymity to discuss his experience.
There is a widespread issue around underreporting of “hacks” and breaches in the enterprises. This is a welcome step from SEC, because it will focus on “security” as part of operational expertise. I have observed several work accounts being compromised, and some organisations have finally realised that employees are using their official credentials for “open-web” too. Most organisations refuse to step up defences around 2FA, passwords and inclusion of biometrics in the routine framework. It hampers the secure processes, though most end users complain it causes too much friction in the work process.
Here’s the concern:
Cyberattacks have grown in both frequency and impact, prompting deep concern in the White House over the last year. U.S. officials have faulted companies for failing to disclose such events, arguing that it conceals the extent of the problem from shareholders, policymakers and law enforcement looking for the worst offenders.
Nation-states steal credentials and accounts, and therefore harm business intelligence. It also leads to loss of earnings and confidence. I hope it gets the attention it deserves.