Friday marked one year since the SEC introduced new rules for disclosing cybersecurity attacks, prompting a range of opinions on their impacts, particularly following recent court rulings that suggest judicial bodies may hold more regulatory power than the agency itself.
The updated rules, which are part of the SEC’s Regulation Systems Compliance and Integrity (SCI), require organizations to disclose any cybersecurity incidents they deem “material” within four business days after determining their significance. This includes not only the incident itself but also the processes for identifying and managing cyber risks within the organization.
George Gerchow, a faculty member at cybersecurity consulting firm IANS Research, commented on the increased personal risks for Chief Information Security Officers (CISOs). He stated, “We need more accountability for the organization instead of focusing on the security leaders of these companies who, in many instances, have their hands tied by execs and the board. We are becoming scapegoats. If this trend continues, you will see an even larger gap in security talent willing to put their credibility on the line, as well as facing charges by the SEC and DOJ.” More insights on this issue can be found in the original article.