In today’s episode we taste a brew from New Belgium, specifically their Trippel. On the bytes front, we discuss the recent SEC rules changes relative to cybersecurity, including the 8-K and 10-K filings. The new 8-K rule requires that organizations disclose material cybersecurity incidents within four days of making the determination that the incident was material. The 10-K rule now requires organizations to make annual disclosures regarding their cybersecurity risk management programs, including how those practices are integrated into their broader risk management effort.
As discussed, I call out that I think organizations should:
- Document their process for evaluating an incident’s materiality, including updating IR plans to include a swimlane that includes that activity and providing details on how materiality will be determined
- Review their cybersecurity risk management programs in an open and honest way to ensure that their disclosures accurately reflect what they do and are not overstating their capabilities (ala SolarWinds).
I look forward to hearing your thoughts on these subjects and continuing the dialog!