IT Strategy

SEC filing not on the agenda for CDK, but concerns remain

“That is not a great thing for everybody from a cybersecurity perspective,” expert says of some behavior around filing rules.
article cover

Pixelseffect/Getty Images

less than 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The June 19 cyberattack on CDK Global, a tech company that provides services to auto dealers, is estimated to have cost dealerships more than $1 billion—but that financial hit to its clients wasn’t enough for CDK to feel the need to file with the SEC under its ambiguous new rules for reporting hacks..

“A reasonable investor would want to know about it because of the nature of the attention it has gotten and the tail that will happen because of that attention,” former CISA official Bob Kolasky told CyberScoop. “It creates a ton of uncertainty about the kind of scrutiny that’s going to follow from this.”

No deeds. In a statement on July 3, a day after “substantially all” affected dealerships were back online, CDK parent Brookfield Business Partners announced that it didn’t “expect this incident to have a material impact” on the company. Meanwhile, CyberScoop reported, “numerous auto dealers [notified] the Securities and Exchange Commission that the breach had harmed their operations.” While CDK is a private company, Brookfield is publicly traded, making disclosure rules more complicated, RSA Conference Chairman Hugh Thompson told IT Brew.

“What the CDK case has shown us is that interpretations vary wildly,” Thompson said. “Now, there [are] important distinctions between some of the auto dealers who are directly publicly traded companies, and thus fall immediately under this disclosure law—so they’re compelled when they believe that materiality has been reached, they have four days to disclose. Then you’ve got CDK; that’s a little bit more complicated.”

Slow down, you move too fast. More generally, while SEC filing rules are important, they often can create hurdles to properly managing threats, Thompson said, and are “adding increased pressure on the role of the chief security officer.” The need to properly document and track everything you’re doing in the wake of an incident slows things down, he continued, and that can add precious time to incident response.

“My concern is that one of the first impulses you might have right now is instead of acting, it’s documenting,” Thompson said. “Because I see the signal that we might be compromised, I want to write down—meticulously—everything that I did, and everything I’m about to do, before I do anything. That is not a great thing for everybody from a cybersecurity perspective.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.