
Cybersecurity Today Is Treated Like Accounting Before Enron - SREinSF
https://www.nytimes.com/2018/01/08/opinion/cybersecurity-breach-spectre-meltdown.html
======
robterrin
Nate Fick's op-ed is well written but misdiagnoses the problem. Having spent
my whole career in cybersecurity, years studying public policy, and prior work
at a big four accounting firm, I believe that while legislative action is
necessary, it is not sufficient. Let's examine the success of the law Fick
hopes to model, Sarbanes-Oxley (SOX).

The Enron fraud, which precipitated SOX, was pretty simple at it's core.
Arthur Anderson, Enron's auditor, traded weak accounting oversight for
lucrative consulting contracts. In the wake of Enron, all remaining big four
accounting firms, except Deloitte sold off their consulting businesses to
avoid an appearance of conflict of interest. Since then, they have all either
bought or grown their consulting businesses back.

In the six years following SOX, only three CEO's were charged with violating
provisions of SOX. A full 60 of the 63 CFO's charged, were charged with
violating previously existing legislation ([http://ww2.cfo.com/risk-
compliance/2007/08/count-em-63-cfos-...](http://ww2.cfo.com/risk-
compliance/2007/08/count-em-63-cfos-convicted-in-past-five-years/)).

The problems are in the executive and judicial branches. The NYS DFS
Cybersecurity Law is a good start, but companies will not change behavior
until a case is brought and executives face real risk. Until then, no amount
of legislation, Federal or otherwise will be sufficient. In fact, a patchwork
of state and Federal regulations that cover some companies according to how
they are chartered and which industries they are in (e.g. Healthcare and
HIPAA) will only create a race to the bottom, where companies arbitrage
regulatory regimes and confusion reigns. This was the state of financial
regulation prior to the creation of the SEC
([https://en.wikipedia.org/wiki/Blue_sky_law](https://en.wikipedia.org/wiki/Blue_sky_law)).

An interesting historical footnote is that the era of blue sky laws was the
early 1900's, which coincided with a period of technological innovation
(electrification and the combustion engine), falling demand for labor, and was
punctuated by manias and panics. Sound familiar?

It wasn't until after the United States experienced the Great Depression,
awoke from it's fever dream and established a body to enforce the recently
passed security exchange act, that Wall Street was temporarily cleaned up.
Unfortunately, regulatory capture has resulted in modern day financial
regulation becoming a competitive advantage for big banks that can afford the
lobbying and compliance overhead.

------
YanFrarS
I’m interested in what kind of regulations would be effective in ensuring
proper cyber security practices are exercised

