The SEC's (the financial one, not NCAA) will make an announcement in April regarding cybersecurity policies and disclosures. The proposals and changes were published March 2022 and were open to public comment twice. There was a lot to say about them (in the end, they closed up discrepancies and holes in reporting cyber incidents that were created by the first amendment in 2018 to the 2011 regulation).
Why should a "regular" business owner care (especially since the Securities and Exchange Commission has nothing to do with privately held companies)? The SEC shows the highest level of government has an interest in protecting shareholders to the maximum extent before investing in a company, specifically related to cybersecurity.
Reader's Digest version of the potential changes: disclosing material* cyber incidents; updating on previous /ongoing incidents; disclosing cybersecurity policies and programs; detailing expertise of board members who claim to be cyber experts.
*materiality upon determination, not discovery...which leaves a lot of questions on how to make that call in order for companies to comply as it requires both a qualitative and quantitative analysis. Also what if non-material incidents become material when aggregated?
The government wants accountability. The government wants the public protected. The government wants cyber - and by implication business continuity - taken seriously.
The interesting thing about federal regulations is they come with fines. It's up to the business to decide if investing in compliance is worth it or just paying the fines for non-compliance is. A lot of major, international businesses vote for the latter as a cost of doing business.
But here's a question:
Would you proudly advertise to your clients or vendors that your business plan was to operate in a continued state of risk? How do you think they would respond? Would they continue to do business with you?
Deep thoughts by EaaS Consulting.
Secure. Survive. Thrive.
