GAAP and Cybersecurity
So let’s talk about accounting and then we’ll get to cybersecurity.
Back in 1929 we had the great depression and it was great. One of the things that really came to light was that it was caused by faulty manipulative reporting practices and businesses. Businesses weren’t being safe, weren’t being cautious, they were extremely vulnerable and they were caught.
In response to that the federal government along with professional accounting groups and created standards for ethical and accurate reporting of financial information. This is the GAAP (generally accepted accounting principles).
Now a lot of people will sit back 40, 50, 60 years later and say the governments being tyrannical, they’re putting too many requirements but in the 30’s it was accepted. The Securities Act of 1933, The Securities Exchange Act of 1934, essentially required businesses to do their minimal good accounting practices. If you’ll notice we never had a great depression throughout the rest of the 20th century
Should we do the same for cybersecurity? Should we essentially create some standards in terms of security processes that organizations should follow in order for them to gather insurance, do banking, or do business? It’s already starting to happen but should it happen formally?