It has now been exactly one year since new cyber risk disclosure rules forced listed companies in the US to detail the Board of Directors’ oversight of cyber risk and compel the disclosure of “material” cybersecurity incidents within four days.
On July 26 2023, the Securities and Exchange Commission (SEC) said it was introducing the rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies” – and emphasised that disclosures will need to be made publicly available in machine-readable inline XBRL format.
At the time, the US Chamber of Commerce warned that SEC’s “unprecedented micromanagement of companies’ cybersecurity programs” was “misguided”. Find out why the rules triggered “fury” in our original coverage.
Have the rules achieved their goals and how are CISOs doing things differently? The Stack spoke to industry experts to find out.
George Gerchow, Faculty at IANS Research and Head of Trust at MongoDB, said “not much has changed”.
“While organizations are trying to be more transparent, the lack of significant fines or penalties allows the same bad habits to…
