Takeaways from SEC Cyber Rule
Earlier today the SEC made a critical ruling on how public companies will respond to cyber incidents. This is a monumental step forward in overall transparency as attacks continue to rise but it is of great importance that Executives and Boards think through their approach to meeting and, more importantly, exceeding the new requirements.
For those of us working in the cyber security space, we are intimately aware of the similar rules put in place over the last couple of years that govern how our financial institutions respond to such events as well as organizations that support our critical infrastructure. I have personally seen the diligence, collaboration, humility, and genuine curiosity that these companies have approached the change with and it is important that this mindset carries over into the rest of the public market.
To date, we have seen and experienced the financial impact on organizations as they deal with and respond to cyber incidents. Often times, the situation is handled with a high variance in time-to-remediation and stock price bounces back once out quarter guidance is given on how the revenue impact will be addressed and ultimately made up. I think we need to brace for impact when it comes to the volume of reported incidents inevitably rising. Here are three questions I would have top of mind as a leader as we prepare for what life looks like going forward:
领英推荐
This third question is burning a hole in my brain because it will prove to be a complex task. With the average dwell time for attackers still well over two weeks and average recovery times over three weeks for critical applications, the world as a whole is struggling to find the answers they are looking for within a four day period, let alone have a coherent plan for remediation and recovery to a clean go-forward operational state. Concepts like Mean-Time-To-Detection and Mean-Time-To-Remediation will surface along with a more firm definition for Maximum Allowable Downtime.
To be clear, I think this is a great step forward but this will require a lot more thought, partnership, honesty, and ultimately reflection on whether or not companies are truly prepared to effectively respond to an incident rather than report the problem without a clear path towards resolution. Markets hate uncertainty and right now uncertainty is what we have when it comes to universally identifying how quickly a company can resume operations post incident.
Vendors will be challenged to be stronger partners with not only their customers but also the Incident Response Firms and Cyber Insurers that support the customers. Looking through this new lens will require the cybersecurity industry to commit R&D cycles into key areas such as user analytics, DLP, threat detection and response, infection quarantine and a well defined cyber recovery orchestration plan across hybrid, cloud, and Saas.
Thanks John for sharing. For companies with a mature cybersecurity program, only minor changes may be required, but primarily it creates the additional burden of providing sufficient details that allows a determination of materiality, which is cental to the disclosures, as described in this blog post.
John, you are misreading the requirement. A company needs to report the incident not within four days of it occurring, but within four days of the company determining that the incident was material. That typically happens well into, and most often after, the investigation is complete.
Technology leader/consultant, results driven PM adding value to the business through technology and innovation..
1 年This is a positive move forward but, it will cause a huge ripple in the public sector. Most are not prepared for this.
Girl Dad | Sports Junkie Federal Account Executive @ Elastic | Fed Financials & SSA
1 年Great summary John Koretoff! I think you nailed the questions that leaders need to be thinking about.
GTM Leader @ Rubrik, Inc. | Founding Partner
1 年SEC Press release can be found here: https://www.sec.gov/news/press-release/2023-139