New SEC Cyber Guidelines, Tesla’s Crypto Cloud, WhatsApp’s Money
Good afternoon, Cyber Saturday readers.
The U.S. Securities and Exchange Commission on Wednesday issued new guidance imploring companies to be more transparent in handling cybersecurity risk and data breach disclosures. The injunction which, it must be noted, lacks teeth, is awfully similar to recommendations the commission made when it last issued guidance on the matter in 2011. Three aspects of the new directive are worth reviewing, nonetheless.
First, the SEC exhorted companies to report vulnerabilities and hacking incidents “in a timely fashion.” Equifax caught heat five months ago for revealing a massive theft of people’s Social Security numbers six weeks after it learned of the heist. In November, Uber came under fire for withholding details—essentially covering up—a year-old security breach affecting millions of customers. It’s hard not to see the SEC’s re-upped guidance in light of these failures. Don’t dilly dally when it comes to disclosure, people.
Second, the SEC enjoined corporate insiders not to sell shares of a company when holding privileged knowledge about cyberattacks and breaches that could affect stock price. Equifax once again fits the bill: A big stock selloff by its executives before the disclosure of its staggering robbery spurred multiple insider trading investigations. Intel CEO Brian Krzanich got hit with backlash, too, for selling a large block of shares after learning of the Meltdown and Specter computer chip vulnerabilities, but before disclosing them to the public. Be smart.
Third, the SEC called on businesses not to use law enforcement investigations as an excuse for keeping quiet about breaches. Companies should be sure not to reveal anything that might damage an investigation—but the existence of an investigation alone is no reason to keep investors in the dark. Lots of companies resort to this trick. Find a better excuse.
The SEC’s revised guidance will rely on the good will of companies to follow it. Corporate America would do well to heed the prescriptions, lest it wishes the heavy hand of regulation to lay the smackdown on it. (Just look across the pond at GDPR.) For anyone who thinks these mandates are obvious, tell that to the execs at Equifax, Intel, and Uber.
Signs of stronger SEC actions to come already loom. Though all five SEC commissioners approved of the new guidance, some did so “reluctantly.” Two Democrats, Kara Stein and Robert L. Jackson, indicated that they want harsher penalties in place for companies in breach of these guidelines. Be assured, if the private sector doesn’t clean up its act, it’ll be forced to comply in the future.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Get your own cloud. Hackers broke into Tesla's Amazon cloud account and used it to "mine" cryptocurrency on the electric carmaker's dime. The incident is the latest in a string of so-called cryptojackings, where hackers hijack computers to mint virtual coins. Once alerted to the threat, Tesla sealed up its systems and paid the researchers who discovered the intrusion $3,133.70 for reporting the vulnerability that enabled the thieves to get inside.
Get out the vote. Who ever said voting machines weren't hackable? Election officials have long tried to quell the public's cybersecurity concerns on this point, arguing that hackers can't tamper with ballots since voting machines are not connected to the Internet. The reality is far more complicated, as Kim Zetter reveals in this piece for the New York Times Magazine; turns out remote access software and modems pose a threat to democracy.
Get out of my courtroom. Companies that sue—or threaten to sue—reporters and security researchers who are just doing their day jobs are bound to have a chilling effect on the cybersecurity world, argues ZDNet's Zack Whittacker, who cites a number of active lawsuits and the concerns of 11 industry insiders. If researchers and reporters really are self-censoring their work for fear of litigation, that does not bode well for vulnerability-riddled private sector, which needs all the help it can get.
Get that money. WhatsApp cofounder Brian Acton is pumping $50 million into the Signal Foundation, a nonprofit that will develop technology focused on privacy and data protection. The foundation will take over maintenance of the namesake Signal Protocol, a technology that provides end-to-end encrypted communications for WhatsApp, Facebook Messenger, Skype, and more. Expect improvements, additional features, and new privacy projects out of the foundation.
Celebrity ICO endorsements just jumped the shark.
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
"I’ve spent 23 years in law enforcement and, unfortunately, I believe as long as police have been seizing cash, some have been skimming it. I don’t think Bitcoin will prove any different."
—Clifford Histed, a former prosecutor who now practices at the law firm K&L Gates, told Fortune's Jeff John Roberts that he wouldn't be surprised if cops were lining their digital wallets with some of the Bitcoin they seize from criminals. Roberts' deep dive into the U.S. government's poorly tracked Bitcoin hoard in the most recent issue of the magazine is well worth a read.
Symantec's Greg Clark Discusses Helming the Cybersecurity Giant, by Susie Gharib
How an Amazon Self-Published Book May Be the Latest Money Laundering Scam, by Aaron Pressman
Here's What Bitcoin Must Prove Before Goldman Sachs Would Invest, by Jen Wieczner
Elon Musk Is Leaving the Board of an AI Safety Group He Cofounded, by Tom Huddleston, Jr.
Ex-Synack Engineers Raise $3 Million for Security Startup, by Robert Hackett
A Computer Glitch Let a Trader Claim $20 Trillion in Free Bitcoin, by Chris Morris
Facebook Will Use Postcards to Fight Foreign Meddling in U.S. Politics, by David Z. Morris
Beware of Pranksters Crashing Apple iPhones Using Twitter, by Don Reisinger
Meet Chronicle, Alphabet's Latest Moonshot, by Jonathan Vanian
ONE MORE THING
The right way to read Frankenstein. This year the literary world is celebrating the bicentennial of Mary Shelley's horror tale. Some editions are, understandably, hyping the story's unnerving, existential reckoning for scientists, engineers and inventors. As Jill Lepore argues in this fantastic feature for the New Yorker, focusing solely on these elements "makes for a weak reading of the novel." It fails to reflect, for one thing, on Shelley's rich, radical politics, inspired by the Haitian revolution and abolitionism. (Side note: Lepore's essay will prove doubly interesting for readers who have seen Guillermo del Toro's latest monstrous romance, The Shape of Water.)