I’ve thanked the SEC before for their attention to cybersecurity. Now they have released more “rules for cybersecurity risk management, strategy, governance, and incident disclosure by public companies.“ These rules make it even more difficult for Boards, CEOs and other executives not to take security seriously.
The four day disclosure rule is of particular note, requiring public companies to disclose of so-called material cybersecurity incidents within four business days. I suppose companies could weasel out of this by attempting to define an incident as non-material (and the courts undoubtedly will have to weigh in on this one), but it’s not going to look pretty when the information leaks out if they didn’t. The four day counter starts only when the determination is made that the incident is in fact material, so that provides another way to delay. “We had to talk to our lawyers for six weeks to work it out” or some such. Even so, it’s progress.
The SEC’s rules, while generally applicable to public companies only, set the tone for other businesses in the US and also for similar regulatory agencies worldwide, so we all benefit from this. It remains to be seen whether the penalties will have teeth, but the SEC are not known for light wrist slapping at all.
I’m not going to make detailed suggestions for how to comply when others have put so much effort into this already (like the good folks at IANS, for example). I just wanted to be thankful for something positive in cybersecurityland.