Yesterday the US Securities and Exchange Commission (SEC) voted 3-2 to issue long-awaited regulations that mandate uniform cyber incident disclosures for public companies. The SEC’s rulemaking progress has been lengthy and controversial, and cybersecurity experts and business advocates have been eagerly awaiting the release of the final rules after more than a year of public comment and lobbying from business and cyber experts.
New rules requiring publicly-listed firms to disclose serious cybersecurity incidents within four days have been adopted by the US Securities and Exchange Commission (SEC). The tough new rules, although undoubtedly well-intentioned, are likely to leave some firms angry that they are being "micromanaged" and - it is argued - could even assist attackers.
Preventing data loss is a concern for almost every organization, regardless of size, especially organizations with sensitive data. Organizations, now more than ever before, rely on voluminous amounts of data to conduct business. When data leakage or a breach occurs, the organization is forced to deal with the negative consequences, such as the high cost associated with data breach fines and remediation and reputational harm to their company and brand.
Trust is hard to earn but necessary for any successful relationship. As organizations build the systems to support Zero Trust, they find themselves balancing security and functionality across their operations. Incident Response and Network Operations in particular can be full of traumatic experiences, and as we sink into those moments the typical responses are freeze, flight, or fight.
The NIS2 Directive, published in December 2022, sets out a series of measures for improving cyber risk management throughout the European Union. All EU member states must apply the Directive as part of national law by October 2024. By the same date, all applicable organizations must comply with the measures set out in NIS2.