Cybersecurity incidents are unavoidable, but boards can govern in ways that make it much harder on adversaries to put the business at risk.
In the face of unrelenting pressure from major cyber incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to deal with cybersecurity. Public companies are evaluating responses to new SEC rules calling for disclosures regarding cybersecurity strategy, risk management, and governance practices. The SEC’s action against Solar Winds is setting off alarm bells throughout the cybersecurity community causing CISOs to worry about personal liability and companies to reassess their D&O policies. Who will be next?
Cybersecurity incidents are unavoidable. However, in many recent high-profile cases, these incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes. Only after these incidents do companies go to great lengths to revamp their cybersecurity. Why not before? Can this be chalked up to the tendency of human nature not to prepare for the future or are there another…