May 17, 2024 at 10:03AM
CISO Steve Cobb noticed public companies seeking more control over third-party incident response in light of the SEC’s cybersecurity risk management ruling, which affects how companies handle incidents. 68% of cybersecurity teams doubt their ability to comply with the SEC’s four-day disclosure rule. Larger public firms are better equipped than smaller companies and third-party providers, leading to concern about the ability to meet disclosure requirements. CISOs are facing increased pressure and potential personal risk in the event of breaches.
From the meeting notes, the key takeaways include:
1. Publicly traded companies are seeking more control over third-party incident response processes, influenced by the Securities and Exchange Commission’s ruling on cybersecurity risk management and incident disclosure.
2. Chief Information Security Officers (CISOs) are concerned about being held accountable for determining breach materiality, with potential personal and financial repercussions if they fail to comply with disclosure rules.
3. Many cybersecurity teams are doubtful about their companies’ ability to meet the four-day disclosure rule, as indicated by a survey by VikingCloud.
4. Larger public companies have established disclosure committees to evaluate the material impact of cybersecurity incidents, while smaller companies face challenges in defining breach materiality and may struggle with compliance.
5. Third-party providers and smaller companies may be less prepared to meet disclosure requirements, with concerns about the human element leading to underreporting of incidents.
6. CISOs are increasingly under pressure to bear the legal repercussions of breach response, with concerns about being viewed as expendable within the cybersecurity industry.
These takeaways highlight the challenges posed by evolving regulatory requirements, the disparity in readiness among companies, and the increasing burden on CISOs in ensuring compliance and managing incident response effectively.