The implementation of the SEC Cybersecurity Disclosure Rules signifies a paradigm shift in how companies approach and disclose cybersecurity matters.
Organizations are prompted to reassess and reinforce their cybersecurity risk management strategies.The SEC Cybersecurity Disclosure Rules highlight the importance of board oversight in managing cybersecurity risks.
Companies are expected to disclose information about the role of the board in overseeing cybersecurity risk management. By providing investors with clearer insights into cybersecurity risks and incidents, companies aim to enhance investor confidence and trust. Transparent and comprehensive disclosures contribute to a more informed investment decision-making process.
The SEC cybersecurity disclosure requirements took effect recently for public companies, requiring them to report material cybersecurity events to the SEC and investors. I can simultaneously hear both a waterfall of tears and a resounding applause coming from the cybersecurity sectors as this has serious ramifications to how many companies chose to handle such notifications (if they did so at all in the past).
Henceforth, investors should consistently get the benefit of being informed in a timely manner for material incidents that now include cyber-attacks! They have this right to understand issues with their investments, and material cyber events were often missing from the picture until now.
The genesis of this requirement was due to many organizations choosing to delay for unreasonably long periods or find excuses to not report such issues to the public. In fact, many such admissions only occurred after security researchers or attackers themselves when public first, thereby forcing the victim organization to communicate to its shareholders, partners, and customers. Sadly, many games were being played and the requirement to report material issues was played fast-and-loose, to the detriment of investors and consumers.
Not any longer. Now the decision is to either lawfully comply or potentially be prosecuted by the SEC and perhaps in related class action sized litigation. The masquerade party is over.
These requirements represent an additional benefit to cybersecurity. As companies come forth to report significant digital attacks, it will reveal the true nature, scale, and maturity of cybersecurity across the landscape of public companies. No more hiding, concealing, or minimizing cyber-attacks. We will get to see a clearer picture of the aggressive nature of attackers, the scale of malfeasance, and the incompetence of organizations to manage risk in a reasonable way.
It is time for transparency. Today represents a new dawn that will drive positive changes - including increased accountability, investment, and prioritization for protecting our digital world.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.