The Exploit

Notes from the Front Lines of Penetration Testing

What Companies Should be Telling Investors about Cybersecurity

What Companies Should be Telling Investors about Cybersecurity

Written by

As a customer, how much do you know about how major corporations handle your personal data? If you’re a shareholder in a company (or several), do you have any idea how well it is prepared for a cyberattack? What is the company protocol for publicizing a security breach?

For the vast majority of Americans, the likely answer is no on all counts. And here’s the worst part: You won’t find out by reading their official filings with the Securities and Exchange Commission (SEC) or hear the topic come up on a quarterly earnings call.

A recent study confirmed what a lot of us have known for a while – a lot of publicly traded companies still refuse to reveal the true nature of the threats they face and what they’re doing to mitigate them. Despite increasing pressure from the SEC, the report suggests that most would greatly prefer to stay silent, even after a breach has occurred.

The report was assembled by the National Association of Corporate Directors (NACD), Security Scorecard, Cyber Threat Alliance, Diligent, and IHSMarkit. These organizations and companies are arguing for more cybersecurity transparency. In my view, this action is long overdue as ransomware and other serious threats grow in both frequency and severity, according to the authors.

To be clear, as a CEO, I understand why some corporations worry they’ll face a competitive disadvantage if they are too forthcoming about risk. As a professional penetration tester (ethical hacker), I also appreciate their concerns about giving the bad guys in my line of work information that might be exploited or even help cybercriminals better understand the value of data they’ve stolen.

On the other hand, I am also an investor and a customer. Wearing all these hats makes me frustrated that the government and Corporate America haven’t come up with a solution that puts everyone on a level playing field – including the people who are shouldering much of that risk in the form of their investments.

In my view, that solution could be as simple as providing answers to three simple questions that would help me, as an investor or potential investor, decide whether to put my money on the table.

  • First, what assets do you have that are most at risk from a cyberattack? This might be intellectual property that can be stolen, customers’ personal information, the money in your corporate bank account, or all of the above and more. And it should address the potential impacts on upstream and downstream vendors and customers. The most important issue here is knowing that the company understands what it has to lose.
  • The next question follows logically: What are you doing to protect those assets? This doesn’t have to be a laundry list that describes each security layer in detail, but it should give readers a sense that the security is appropriate to stop the types of threats it anticipates. Again, what I really want to know is that the company is doing what’s necessary, not just providing a generic response that restates the question.
  • The third and perhaps most important question is whether the security has been evaluated and validated by experts outside the company. Former President Ronald Reagan famously described his policy toward the Soviet Union as “trust but verify” and that’s appropriate in the world of cybersecurity as well. Though we have to trust companies to be candid and truthful, there is a lot of value in having professional third parties provide independent analyses.

Simply answering these questions is no guarantee that the company won’t be breached, but there is great value in the asking. For one, it keeps cybersecurity top-of-mind in the c-suites, ensuring that it factors into all major company decisions. It also gives policy makers a clear idea about our nation’s cyber resilience and exposes major shortcomings that can be addressed with legislation or regulation. And it provides peace of mind for people who are considering placing their hard-earned money in the company’s hands.

In the wake of the far-reaching SolarWinds and Colonial Pipeline breaches, now is an excellent time to ask Congress and the SEC to work with publicly traded companies to find a workable disclosure template that better protects all of us.


Mark Puckett

Posted on

Categories:

Also by Mark Puckett

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.