Following new SEC guidance issued in the US relating to disclosure of cybersecurity risks in company filings, public companies are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data. This infographic looks at the state of software security in public companies, and shows why companies and investors alike should care.
Add this Infographic to Your Website for FREE!
They spend billions on network and device security but breaches still occur on a regular basis.
THE CULPRIT: Weaknesses in their Software Applications
Why Should Investors Care?
The SEC believes cybersecurity risk should be seriously considered before investing in a public company.
In October 2011 – division of corporation finance CF disclosure guidance:
Topic No. 2: cybersecurity. Public companies should disclose cybersecurity risks or incidents.
2012 Data Breach Investigations Report
A study conducted by the Verizon RISK Team with cooperation from Policing agencies around the world
Large organization hacking vectors by percentage
|Backdoor or control channel||34%|
|Remote access/desktop services||20%|
Top Attack Methods from the Web Hacking Incident Database (WHID)
|Denial of Service||23%|
|Cross-Site Request Forgery||2%|
|Predictable Resource Location||2%|
So how are public companies doing?
(according to the Veracode state of software security report)
- Public companies face material cybersecurity risks from weaknesses in their software applications
- 84% of web applications form public companies were deemed unacceptable upon initial testing when measured against the OWASP Top 10.
- 63% failure rate of non-web applications in use at public companies upon initial testing when measured against the CWE/SANS Top 25.
- Public company revenue had no bearing on application security performance against industry standards.
- Public companies fare no better than companies at large on software security or developer knowledge on secure coding
- 57% of developers that took a basic application security assessment achieved a grade C or lower
- Reliance on third-party applications is widespread, but formal risk assessments are not
Less than one in five public companies has performed a formal security review of third-party applications.
- Many factors influence key decisions and policies regarding application security in an organization.
- Over 40% of public companies who defined a custom policy chose to measure their application against PCI or the OWASP Top 10.
United States Securities and Exchange Commission
Who’s reporting on cybersecurity risk in recent sec filing?
Bank of America
“as cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities.”
“Our business could be negatively affected by cyber or other security threats or other disruptions… We routinely experience cyber security threats, threats to our information technology infrastructure and attempts to gain access to our company sensitive information.”
“Protection of electronically stored data is costly and if our data is compromised in spite of this protection, we may incur additional costs, lost opportunities and damage to our reputation…we develop and maintain systems to prevent this (data compromise) from occurring…”
“a compromise of our data security systems or those of businesses we interact with that results in information related to our customers or business being obtained by unauthorized persons could harm out reputation and expose us to regulatory actions and claims from customers, financial institutions, payment card associations and other persons…”
Infographic by Veracode Application Security