What CISOs Should Exclude From SEC Cybersecurity Filings>
N Cryp Tech – Kelly Springer
The new SEC rules require CISOs to determine what security incidents should be reported and what details should be included in those reports.
CISOs face the challenge of balancing the legal obligation to share information with investors while not revealing too much about their threat landscape to potential attackers.
The filings from Caesars, MGM, and Clorox under the new rules provide examples of what information can be included in these reports.
The focus is on what is known and avoiding speculation and predictions, as well as not sharing details that are likely to change.
CISOs must navigate three competing objectives: reporting as much as possible legally, sharing as little as possible from a cybersecurity perspective, and disclosing information they are confident about.
Initial details are often unreliable, so CISOs are advised to report what they know with 80-90% certainty.
Choosing which incident details are material can be challenging, and CISOs should keep disclosures simple, factual, and measurable.
There is a balance between disclosing information that is actionable for shareholders and avoiding providing attackers with more ammunition.
CISOs should also consider what information is already public and involve legal advisors to ensure compliance and protect discussions from legal discovery.
The SEC rules bring more attention to cybersecurity incidents and require prompt reporting within four days, bringing incidents to the forefront of board discussions.
Link: https://n-cryptech.com/what-cisos-should-exclude-from-sec-cybersecurity-filings/