Here is the Letter the SEC Should Send to Investors on Cyber
Below is a draft letter that I believe the Securities and Exchange Commission (SEC) should send to investors:
"The <insert team name within the Securities and Exchange Commission> recommends, given the relentless intensity of nation-state cyber-attacks by countries such as Russia and China on public companies, that investors accept and assume, in all investment decisions, that 100% of public companies are in some stage of being attacked by foreign military entities.
In addition, both foreign and domestic cyber criminals and cyber terrorists have expanded their offensive capabilities significantly. These actors can now routinely engage in cyber-attack campaigns that are beyond the reasonable ability of any corporate entity to handle. Even our own commission was attacked several years ago, and it took months to realize the damage.
What this means is that when you make an investment in a public company, you must assume that this company has already been subjected to a cyber-attack, or is currently being attacked. This should inform all investments. For all public companies. 100% of them. With no exceptions. You are hereby informed.
Our views are influenced heavily by comments made by the former Director of the Federal Bureau of Investigation (FBI), Mr. Robert Mueller, who is directly quoted as follows: “There are only two types of companies: Those that have been hacked, and those that will be.” Investors should factor this statement into all present and future investments.
领英推荐
Given this tough situation for public companies, we are relaxing our requirements regarding cyber threat-related disclosures. We see no purpose in such intense reporting requirements, including the four-day window, given our observations above. This is consistent with our goal to consistently improve how we approach filings made under the Securities Act of 1933 and the Securities Exchange Act of 1934 to monitor and enhance compliance with applicable disclosure requirements.
Instead, we will redirect our budget to create a new scholarship fund that will support one hundred select Chief Information Security Officers (CISOs) from public companies to help advance their security and business training in participating universities and colleges in our country. We believe that all government entities must work with our nation’s security leaders, and never against them.
In summary, investors should expect and assume that all public companies are in some stage of being attacked. You do not need to be informed by their CISO or any other official. They are under attack - we can assure you. There are no exceptions. None.
And we hope that our new scholarship fund, a much better use of our resources and budget, will help to improve the resilience of our nation’s public companies. This will, we believe, help to protect investors much more effectively from the effects of this difficult cyber risk problem than our previous course of actions.”
?
Chief Marketing Officer | Advisor for Google | ForbesWomen | Fractional CMO | Strategy & Digital Transformation | Real Estate Investor | 6x Author | Thought Leadership in Forbes, FastCo, Inc., Rolling Stone & More
6 个月??
Business Growth Guide, Architect of CEO Peer Groups, Connector of SMB growth-minded Business Owners, Presidents, and CEOs
9 个月Edward, thanks for sharing!
Cyber Risk Engineer | Board Member | Research & Analysis On Cyber Events
11 个月While you do make some great points, I’d like to highlight that the SEC is focused more on investors than they are the companies themselves. Investors staying informed is their #1 priority. The big focus of the new ruling is to just ensure that companies are reporting information that an investor would want to know (aka material events). If a company is properly handling their cyber risks, there should be no concern around reporting it. An investor has the right to know if a company was targeted. If anything, the increased transparency with this new ruling will encourage companies to improve their processes.
“True beauty is born through our kindness we offer to others. Being kind means responding to the needs of others. The best portion of a good man’s life is his little, nameless, unremembered acts of kindness and of love.”
12 个月Maximing shareholder value is a function of how well an organization safeguards its data. Loss of shareholder value is a function of increased government regulation.
Edward Amoroso, well-said. However, IMHO, the money might be better-spent on training 100s of cyber defenders to leverage the power of AI to stay in step with attackers vs. 100 CISOs. No offense to CISOs, but they're only as good as their people. My $0.02.