“We need more accountability for the organization instead of focusing on the security leaders of these companies who, in many instances, have their hands tied by execs and the board,” said George Gerchow, faculty of cybersecurity consulting firm IANS Research. “We are becoming scapegoats. If this trend continues, you will see an even larger gap in security talent willing to put their credibility on the line, as well as facing charges by the SEC and DOJ.”
Friday marked one year since the SEC introduced new rules governing disclosures of cybersecurity attacks, but experts say they have differing opinions on the impacts, particularly in light of recent rulings suggesting the courts may have more regulatory power than the agency itself.
The Regulation Systems Compliance and Integrity (SCI) was first adopted by the SEC in 2014 to address the flaws in technology of U.S. securities markets. An update in 2023 requires the disclosures of cyber breaches more consistent and comparable. The new rules require organizations to disclose any cybersecurity incident they deem “material” and to describe the likely material impact within four business days after its determination. They also require registrants to describe their processes for identifying and managing risks from cyber threats.
