Every company should feel urgency about maturing cybersecurity risk management. That’s the core message behind the heightened regulatory focus on cybersecurity — and with the U.S. Securities and Exchange Commission’s (SEC’s) final cybersecurity disclosure requirements for public companies taking effect in September 2023, it’s about to get real.
Cybercriminals keep finding new ways to monetize cyberattacks, prey on geopolitical instability, evade detection, exploit or re-weaponize vulnerabilities, and use AI to conduct attacks. Beyond business interruptions, lost revenues and assets, reputational damage, remediation costs, ransom payments, and liabilities to affected parties, national security and public safety are at stake. Citing a recent study showing that 98% of organizations use at least one third-party vendor that has experienced a breach in the past two years, the SEC has decreed that the time is now for enhancing and standardizing cybersecurity disclosures.
Even if you aren’t at a public company, you may be a third party to one — and investors and other stakeholders often hold private companies to the same standards. Plus, the SEC’s final rule is a good example of what we can expect from other cybersecurity legislation on the horizon, much of which goes beyond public companies.
In this article, John Wheeler, Senior Advisor, Risk & Technology at AuditBoard, explains why cybersecurity is everyone’s problem and offers a comprehensive guide to the new rules, including: