Hacking America

Protecting Your Investments From Cyberterrorists

Jacob Olcott, Principal, Good Harbor Security Risk Management
John Fedele | Getty Images

U.S. government officials are awfully concerned about cybersecurity these days. President Obama recently issued an Executive Order to improve the security of key national infrastructure like the electric grid and unveiled a strategy to reduce trade secret theft. Defense Secretary Leon Panetta recently warned business executives in New York about a pending "cyber Pearl Harbor." The head of the National Security Agency, Keith Alexander, calls the cyber theft of corporate secrets "the greatest transfer of wealth in history."

Should investors share these concerns? What should they be worried about? And how should they account for cybersecurity in their investments?

(Read More: Is Your Business Ready for Cyber War?)

Investors should be extremely concerned about the widespread theft of information from corporate networks. In recent years, hackers have successfully stolen vast quantities of sensitive data from U.S. businesses, including business strategies, research and development information, transactional information, bid data, financial information, formulas, blueprints, and designs. Government officials like to say there are two types of businesses: those that know they've been hacked, and those that don't know it yet.

Why use hackers to steal information from businesses? The answer is simple: economic competitive advantage.

(Read More: 10 Ways Companies Get Hacked)

When it comes to China, widely considered the most aggressive sponsor of cyber espionage against corporations, U.S. intelligence officials believe that the government is motivated to steal information and provide it to Chinese national businesses in order to help strengthen their competitive standing. This week, cyber forensics company Mandiant shed some light on China's activity, issuing a groundbreaking public report claiming that one group of Chinese hackers stole terabytes of data from at least 141 organizations. (One terabyte is the equivalent of approximately 220 million pages of text. That's a lot of secrets.)

The size and scope of cyber espionage against businesses is significant and growing. A recent National Intelligence Estimate characterizes cyber espionage against the US private sector as a serious threat to American economic competiveness, costing the US economy between $25 and $100 billion a year. These are just estimates – the true nature of the problem is almost impossible to value or determine today due to lack of data.

Many companies have been slow to respond to this threat. Some are overwhelmed by the problem and think that there's nothing they can do. This is dangerous thinking. According to a major data breach study by Verizon, 97 percent of all successful cyber penetrations could have been avoided through simple or intermediate security controls.

So what's an investor to do?

(Read More: The White House Gets Friendly With Hackers)

Investors who are concerned about the security of the companies they invest in need to press corporate executives to manage cyber risk the same way they would manage other risks to the business.
Jacob Olcott
Good Harbor Security Risk Management

Investors who are concerned about the security of the companies they invest in need to press corporate executives to manage cyber risk the same way they would manage other risks to the business.

Investors must proactively obtain updates from executive leadership about the company's strategic and financial commitment to protecting key information and assets. Investors should ask for evidence of:

1. A cyber risk management strategy. The strategy is a document agreed upon by senior executives that outlines the company's approach to the issue. It should be focused on managing cyber risks to the business, not just compliance.

2. A cyber risk committee comprised of senior corporate executives (general counsel, business and operations management, etc.). This committee should be responsible for managing cyber risk across the organization. It can report to the audit committee or board of directors, and should be able to provide material information about cyber risk to investors.

3. A senior corporate executive who is responsible and accountable for managing cyber risk for the organization, in addition to the chief information security officer.

4. An independent network security assessment or breach indicator assessment that determines whether the company's information systems have been compromised, and the extent of the damage. Experienced forensics teams usually find evidence of malicious actors operating at will within the corporate environment.

5. A cyber crisis management plan that has been exercised by senior officials so the company can minimize the damage when an event occurs.

Let's be clear: investors are legally entitled to information about cyber risks and events and should be asking for this information. In October 2011, the Securities and Exchange Commission issued guidance to publicly traded companies describing their obligations to disclose material cyber incidents to the public. Many public companies are trying to determine whether the breaches they've experienced rise to this level; ironically, many do not report because of a fear of their investors. Some would argue that a decision to withhold information because of its impact on investors represents prima facie evidence of a material breach.

(Read More: White House Mobilizes to Stop Theft of Trade Secrets)

The bottom line is that there's a reason why government officials are so scared of cyber attacks. Investors should be too. Investor pressure on businesses will go a long way in motivating corporate executives to appropriately address these risks.

Jacob Olcott is a Principal at Good Harbor Security Risk Management where he manages the firm's cyber risk practice. He previously served as a legal advisor to the U.S. Senate and House of Representatives where he focused on cybersecurity issues.