CISOs beware: the SEC is watching
“The lessons [of this latest ruling] are that the SEC is paying attention to this issue,” Zukis said, “so get your house in order in terms of the new rules.”
“The SEC is being very patient with the new rules,” he added. But, he alleged, “there’s an enormous amount of non-compliance to the new rules. Companies are not describing the material impact of an incident in their current filings under the new rules. So get focused on your processes, get your documentation in place and disclose [information in filings] truthfully.”
“This isn’t rocket science,” he said, “but it requires some consistency and maturity in processes. The SEC will hold you accountable if you’re playing fast and loose with these rules. If your documentation [of cyber incidents] is inconsistent, you don’t have a mature process … It’s not about getting it right or wrong. It’s about showing you have some maturity as a business management and governance body to consistently apply some thoughtfulness and rigor to the process.”
