There’s a lot of talk about the Securities and Exchange Commission’s (SEC) “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule. It got a lot of publicity in November of 2023 when a ransomware gang tried to punish a victim for not paying by reporting the victim’s lack of disclosure to the SEC. Here’s what you need to know.
Final Rule: https://www.sec.gov/files/rules/final/2023/33-11216.pdf
Press Release: https://www.sec.gov/news/press-release/2023-139
Fact sheet: https://www.sec.gov/files/33-11216-fact-sheet.pdf
Does it apply to me?
Are you working for a publicly traded company? If not, this doesn’t apply to your company. The SEC’s primary concern is protecting shareholders. If you’re part of a scrappy start-up or privately held enterprise, you can stop reading now.
Are you responsible for your corporation’s SEC filings or a CISO/CSO the filing people will ask for all the information needed to support the rule? If so, yes.
If you’re a lower-level person responsible for hardening systems, threat detection, or responding to hacks who might have to provide information for the report, your employer should have specialists who will guide you in what…
