Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
After several months of anticipation, the SEC finally voted to adopt new cyber rules for publicly traded companies. This piece provides a high-level summary of the rules and advice for CISOs on next steps.
The SEC has voted to adopt new rules requiring publicly traded companies to enhance and standardize disclosures of ‘material’ cyber incidents. Under the new rules:
The SEC scrapped a provision requiring companies to disclose board members’ cyber expertise; however, directors must still exercise oversight of cybersecurity risk management processes & those processes must be detailed in annual reports.
George Gerchow, IANS Faculty maintains that the ruling is a great step towards achieving the accountability needed to protect both consumers and the investor community:
“The reality is that most companies are ill-prepared to meet the requirement of reporting an incident of material impact within four days. One thing to note is that this ruling doesn’t require the reporting of technical details, but in the
event of a breach, it will inevitably come down to tech at some point -- and no company is prepared for that. While we are still waiting what the penalties for failing to report will be, we can assume from incidents like Uber and SolarWinds that it
will lead to a DoJ situation where individuals’ jobs will be on the line.”
For CISOs, we recommend the following:
The new SEC rules give security executives an opportunity to connect security issues to the board’s risk oversight and strategic leadership responsibilities. In its ruling, the SEC re-emphasized the materiality of cyber risk, and the rules create
an opportunity to elevate cyber’s roles in the business, the board’s role in cyber oversight as well as cyber expertise on public boards.
However, in our research study, we found a majority of CISOs lack the broad business experience
and advanced degrees that are commonly sought for board membership - only 32% of Russell 1000 CISOs have professional experience outside of cybersecurity & 38% have an advanced degree. On most boards, cyber understanding is insufficient and our
study also reveals most companies lack even a single board director with cybersecurity expertise. CISOs appear to be logical candidates to fill this gap, but the question is whether CISOs possess the qualifications to serve as effective board members.
For CISOs, more work is required to prepare for a board position. Here are the traits boards seek:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.