[MattSteelblade]

> Unisys will pay a $4 million civil penalty;

> Avaya. will pay a $1 million civil penalty;

> Check Point will pay a $995,000 civil penalty; and

> Mimecast will pay a $990,000 civil penalty.

With the exception of Mimecast, these are companies that are bringing in billions of dollars in revenue annually. How is this supposed to deter them?

[Hilift]

The fines are symbolic. Even if you look at the fine for the hotel data breach in 2018, that was only $52 million (US) and $23 million (UK), total of $75 million. And the Equifax breach? An executive VP of IT sold $584k of shares right after the breach and before the press release. Nothing happened to him, he said he was unaware of the breach. https://www.npr.org/sections/thetwo-way/2017/09/08/549434187...

The SW supply chain attack is one of the most brilliant cyber attacks in recent history. They hit a train load of gold bars, and had a much as 14 months of dwell time with potentially 18,000 customers. Discovery must have been disappointing for the attackers.

If you follow the most important rule, secrecy, you get plausible deniability and small-er fines.

[ensignavenger]

Unisys and Avaya are both reporting losses. This fine makes it even more of a loss. Further, if they don't mend their ways, the SEC will give them an even bigger fine.

[advisedwang]

SEC likely offered low settlements here to get agreements without having to battle in court whether SEC even has the authority to do this. Now that they have to some degree established authority here* they can go for enforcement harder and push companies further on disclosure.

* ie a practical precedent, not a legal one

[alephnerd]

> How is this supposed to deter them

Unisys and Avaya are both security vendors. This absolutely is a bad look for them, as almost every Security RFP asks about internal controls and how a vendor has remediated against these issues, and this is ammunition for any competitor to ask a prospect to re-evaluate purchases from either due to misrepresenting their security procedures.

Furthermore, Unisys only has an operating profit of around $200M a year, so a $4M fine is fairly brutal (that's an entire security team's operating budget for a company at Unisys' size).

Avaya's is smaller still, so that $1M is fairly brutal for them

[0xffff2]

They pay the penalty and they are expected fix the issue. If they don't, there will be additional enforcement actions.

[Mistletoe]

Doing anything at all probably costs more than $1M.

[alephnerd]

Not that much more.

Furthermore, security vendors like Avaya and Unisys could arguably be in breach of contract with customers because it could be argued that they misrepresented their internal security protocols to customers.

[Terretta]

What really gets attention is "consent orders" where if the regulated entity doesn't clean up the act, then that line of business, or the whole entity, gets shut down.

Often you may see this result in a divestiture, as in, unable to clean up, so we'll sell the client base to someone with better systems. (In theory. Almost inevitably, this drags a few legacy systems over anyway.)

[SpicyLemonZest]

It's not a case of deterrence. As the orders linked from the press release describe, all four of these companies have been cooperating extensively with the SEC to fix things up and agreed to continue doing so as part of the settlement.

[teeray]

The law should be written to require a mandatory percentage of revenue. That will wake them up.

[kmeisthax]

It will not.

The reason why companies get breached is because the systems being breached are all legacy. Company A buys company B who bought company C, which merged with company D. C fires D's old IT department, because it's redundant, so now D's billing system is being managed by C's IT department. C then sells itself to B, who has a much more robust billing system. At this point, it'd make sense to replace the billing system from D, but everyone who knew how it worked got fired in the C/D merger. So it sits around because nobody wants to break that part of the business. Then A buys B and does another round of layoffs, so anyone who even knew about this is gone.

Ten years and hundreds of iterations of this exact cycle later, you get an e-mail from a stranger saying they found all your customer records being sold on a cybercrime forum. Your IT department scrambles to remediate a breach in a system they've never heard of that nobody remembers installing or maintaining. It's just always been there. Corporate amnesia runs deep. People are finding forgotten old servers running unpatched versions of Windows Server 2003 that were so ritualistically overlooked you'd need to be high on Class Z mnestics just to perceive them.

Every enterprise IT department is like this. That's why companies get breached so damned often. There is never enough time in the budget to properly document legacy systems, nor are the decision-makers at the top even aware of the fact that they exist. Their job is to eat things, and they eat voraciously. If you want to stop this from happening, you need to make M&A illegal, not just inflict more pain to the invisible arms the corporate body cannot perceive pain from.

[akira2501]

> Every enterprise IT department is like this.

That's because it's not understood what a liability allowing this to occur is. Perhaps if we fine them based on revenue they would understand that IT is a core part of their company and can no longer live on the edges of the business units.

[jjav]

> That's because it's not understood what a liability allowing this to occur is.

No, it's because they understand what the liability of allowing this is (minimal and inconsequential). So why bother?

[akira2501]

Clearly not everyone agrees with you that it is minimal and inconsequential. Perhaps you are lucky enough to not have anything vital of yours disclosed without your knowledge or consent.

[jjav]

The liability of allowing this. Liability to the company. It is factually minimal and inconsequential.

Look at the stock price hit companies take when they have security breaches. The impact is basically none apart from a short-term dip which recovers soon enough. Or look at the fines companies get for breaches, always a minuscule percentage of their profit.

This is why companies will keep short-changing security, because to them it's just a cost that doesn't really matter. And objectively, it doesn't matter when viewed from the lens of maximizing profit at all cost.

Did crowdstrike go out of business yet as a consequence of their breach? Did tmobile? Did equifax? These all should have, but all are going strong.

So yes, impact is minimal and inconsequential.

Depressing.

[anitil]

Thankyou for a clear explanation of how this sort of thing can happen. I've seen similar issues in profit-making parts of businesses, so I imagine it can only be worse in areas seen as cost centres

[pjmlp]

They will easily find time and budget as soon as liability starts being a common thing in IT industry across the board, instead of only on high integrity computing deployments.

[philipov]

Well, you've convinced me. M&A should be illegal.

[JumpCrisscross]

> law should be written to require a mandatory percentage of revenue. That will wake them up.

Percent of revenue fines regressively to margin.

10% of Walmart's revenue is 4 years' profits. 10% of Equifax's is a few quarters'. Moreover, you'd have a bureaucrats' delight of companies splitting revenues across entities while courts have to litigate common control claims. Unless you have a good reason to punish low-margin businesses more heavily than high-margin ones, this is an inefficient scheme.

Better: fines based on damages, trebled.

[TeMPOraL]

> Better: fines based on damages, trebled.

Except damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line.

[JumpCrisscross]

> damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line

Through private action, yes. Use statute to define damages as a function of number of people affected, type of data released and whether the company self reported or was caught, by the public or a regulator. Add enhancements if the company was reckless, the data was out there for longer than a month or if it was accessed by foreign adversaries.