No one should be surprised that the world of cybersecurity and its associated blame game is continuing unabated. Several interesting incidents have happened in the past two weeks that bear highlighting:
- Target recently saw its debt rating cut by Standard & Poor's. Part of the reason for the downgrade was not all that unusual. Target's entry into the Canadian retail market place has not been going as well as planned. Interestingly, an additional reason for the debt downgrade was the losses due to the massive payment card information breach it suffered last year. The losses -- both existing and expected -- have been so large that independent third parties have forecast rocky waters ahead for Target. While S&P added that Target's "expenses could be significant but manageable," being manageable was insufficient to avoid a debt downgrade.
- The Federal Financial Institutions Examination Council (FFIEC) members have just issued statements warning financial institutions of the risks associated with cyber attacks on Automated Teller Machine (ATM) and card authorization systems, and the continued distributed denial of service (DDoS) attacks on public-facing websites. Receiving warnings about cyber attacks is nothing new, but the fact that the FFIEC listed out "steps the members expect institutions to take to address these attacks" is very interesting. Rarely do you see organizations say they "expect" security measures to be undertaken in the face of a specific threat. But here, clearly the FFIEC is not so shy.
Taken together, one starts to see a very interesting picture develop. Namely warnings about cyber threats are growing more specific, and the language being used to urge action is growing more aggressive. At the same time, you are also now seeing financial institutions actually punish victims of cyber attacks by deeming them less-attractive investment options.
Overall, this is another sign that we are more inexorably moving in the direction of real financial harm being suffered as a result of cyber attacks, and the conditions being ripe for litigation to compound the losses. I would certainly expect that this will lead to even greater investment in and care devoted to cyber defenses. If it did not, then one certainly wonders how soon management could be faced with expensive litigation aiming to it personally accountable for cyber attack losses.