What happened? The SEC (Securities and Exchange Commission) has introduced new rules that require public companies to be more transparent about their cybersecurity risks and any breaches they experience.
This means companies will need to regularly share information about how they're managing cybersecurity risks and any significant cybersecurity incidents they've had. If a company experiences a significant cybersecurity incident, they'll need to report it within four business days.
SEC Chair Gary Gensler said: ""Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
Why is this important? This new rule is likely to make cybersecurity a higher priority for companies. It could lead to increased investment in cybersecurity measures, as companies will want to avoid the potential negative publicity and financial implications of a breach. This is particularly relevant for C-level execs in not only public companies. The new rules are likely to be particularly beneficial for companies in the cyber security and compliance which are likely to see increased focus and budget allocation due to these new rules.
What do people think? There are quite a few opinions about this new rule. They vary markedly depending on who you ask. InfoSec professionals are looking at this from another lens and are not particularly impressed. I recommend forwarding this WSJ article to your C-level execs as budget ammo.