The Inner Circle

 View Only
Expand all | Collapse all

SEC's Proposed New Cybersecurity Disclosure Requirements

  • 1.  SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted Mar 21, 2022 01:42:00 PM
    Please take a look at these proposed cybersecurity rules from the SEC. We are in the comment period, I am interested in thoughts about getting a group together to provide some consolidated feedback from CSA. https://www.sec.gov/rules/proposed/2022/33-11038.pdf

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted Mar 22, 2022 08:37:00 AM
    Hey @Jim Reavis.

    I would be interested in participating if you pull together a group discussion.

    Do you have a timeline for developing a response?

    Cheers,
    alex.


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    ------------------------------



  • 3.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted Mar 22, 2022 09:29:00 AM
    If you put together a Zoom session I'd be happy to join.  My initial take is:

    • defining what "material" incident is leaves a lot to interpretation, especially "in the aggregate" - that's a lot of nuance that securities lawyers, corporate lawyers, privacy lawyers and cyber security SMEs can all probably completely disagree upon legitimately.
    • instead of just reinventing a wheel that is already well established, why not just simplify and make an accredited external audit report a requirement? SOC2, ISO, NIST are all frameworks used by companies today and cover all these issues. And for a public company the tools and automation have made these very affordable - you can get a SOC2 done for <$10K nowadays with automated tools (labor and education costs are certainly extra but that's part of the prep work that this initiative is hoping to encourage presumably)
    • NIST/FedRAMP Continuous Monitoring reporting is much more effective at proactively reporting risk and control status. if you just report incidents, that assumes that the incident is known - the worst offenders won't even know they are breached. better to report overall risk and control status - a very well defined process used for FedRAMP and CSF - and allow the investors to determine how risky the company's control status is based on that. (again audited by a 3rd party)
    Seems overall a lot of loopholes and not a lot of value add viz a viz established audit and continuous compliance frameworks.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 4.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted Mar 22, 2022 10:30:00 AM
    Thanks all, I just talked to a law firm that will act as our facilitator so we can get community feedback put into a formal CSA response. More news to come this week.

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------



  • 5.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted Apr 06, 2022 12:06:00 PM
    Hi Jim.

    Just checking in. Are we going to have a video to help develop a consolidated CSA response? My plan is to draft my comments by the end of next week.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    ------------------------------



  • 6.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted Apr 06, 2022 01:33:00 PM
    We have a site setup for comments here

    Jim Reavis
    jreavis@cloudsecurityalliance.org
    CEO, Cloud Security Alliance
    +1.360.820.2545



    This e-mail account is used only for work-related purposes; it is not guaranteed that any correspondence sent to this address will be read by the addressee only, as it may be necessary, under certain circumstances, for third parties appointed by the Cloud Security Alliance to access this e-mail account. Please do not send any messages of a personal nature to this address.





  • 7.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted 29 days ago
    Yesterday, I commented on the proposed response. Overall, I like what is being proposed. In a number of places, the SEC asked about specific forms and the like. Some of it felt like a legal question or a form production question so I did not feel comfortable responding. I would be willing to collaborate.

    Below are the broad strokes of what I am thinking.  Thoughts?
    • very much support what the SEC is proposing. It is reminiscent of what we have seen before with other disciplines like finance/ accounting
    • it seems to me this is about protecting investors/ preserving trust in the system along with increasing the cyber hygiene
    • a notice within four days is appropriate but a formal report does not. I think it was @Robert Ficcaglia who suggested 10 days made more sense. History tells me, that updates will be required over time as the situation unfolds and the full impact is understood
    • I would also like to have Law Enforcement and potentially Homeland Security weigh in before anything is disclosed publicly. It is not unusual for them to want to keep something out of the headlines to preserve the integrity of their investigation
    • I would not require intimate details like policies and procedures to be disclosed. The same with results of assessments, attestation, and the like. It would give too much information to the bad guys and probably not add much value
    • Board Members with special expertise, like cyber, should be protected from additional liability. This is common practice and should be honored.
    • disclosing the BOD's cyber expertise and the broad strokes of their cyber program makes a lot of sense. I would make the details optional
    ​Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    ------------------------------



  • 8.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted 29 days ago
    Hi Jim!



    I'm a former securities and insurance licensed professional: Series 7, 31, 56... for 10 + years, blemish-free broker record. 

    I tend to be interested in all things SEC, financial management, and insurance by default.

    This is an interesting cybersecurity development...

    Best,

    ~ Coretta

    ------------------------------
    Coretta Jackson
    ------------------------------



  • 9.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted 16 days ago
    We had a good dialogue about the response. What are the next steps?

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    ------------------------------



  • 10.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted 9 days ago
    Hi Alex,

    We did a submission based on all of the comments received, with assistance from the Orrick & Harrington law firm to create a cohesive response. We will post it in Circle soon. Thanks for your help!

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------



  • 11.  RE: SEC's Proposed New Cybersecurity Disclosure Requirements

    Posted 8 days ago
    Hi Jim.

    That is good to know. I look forward to reading the submission.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Sharpe Management Consulting LLC
    alex@sharpellc.com
    United States
    ------------------------------