Will Smaller Companies Buckle Under the SEC's New Requirements?
Even though the new incident reporting rules create pressure, they serve as a forcing function for building a strong security foundation.
The Securities and Exchange Commission's (SEC's) new incident reporting requirements have brought about many questions and concerns among security professionals and government bodies.
One argument is that the requirements are duplicative of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and will create more work for already resource-constrained cybersecurity teams.
Another is that a four-day disclosure window is not only too early to determine the impact, but that disclosing sensitive breach information publicly on the heels of a breach could attract bad actors to exploit the vulnerability before it's fixed.
Opinions and speculation aside, the challenges are real:
Data today flows across many companies, systems, and subsidiaries, making the task of distinguishing between victims and perpetrators incredibly difficult.
Determining what "may be material to investors'' isn't always obvious and will require administrative work to figure out.
Establishing communication with business-level executives and the board will become more critical, requiring further education and training.
This is a herculean task for a large company with a chief information security officer (CISO) and a full security operations center (SOC) team; now imagine what it will be like for smaller companies with fewer resources.
About the Author
You May Also Like