With two major actions in the last six months of 2023, the Securities and Exchange Commission (SEC) has made it clear that it plans to get tough on cybersecurity. As a result, chief information security officers (CISOs) and their teams will need to expand their focus from the battlefield to the boardroom, as the threat landscape emerges more than ever as a business concern first and foremost.
The SEC in July announced the implementation of rules (that went into effect December 18) requiring the disclosure of “material” threat/breach incidents in four days, as well as annual reporting on cybersecurity risk management, strategy, and governance.
And in October, the SEC charged Austin, Texas-based software company SolarWinds Corporation and its CISO, Timothy G. Brown, for fraud and internal control failures. The SEC contends that SolarWinds disclosed “only generic and hypothetical risks” in formal filings, at the same time Brown and other executives/employees knew of specific issues impacting SolarWinds’ security, along with increasingly elevated risks.
This is the first time that the SEC has brought cybersecurity enforcement claims against an individual, as well as…
