The new Cybersecurity SEC Rules
The new Cybersecurity SEC Rules - Are we sharing too much with the hackers? New rule 106(b) requires companies to describe their process for management of cybersecurity risks. According to the SEC, a company must describe any risk that would affect investment decisions, while steering clear of sensitive details. A reasonable investor needs to understand the “process”; the “process” is to be disclosed, and NOT policies and procedures, to avoid disclosing operational details that could be weaponized by threat actors. That process vs. policy distinction should be interesting to implement. A company must disclose whether the company engages a consultant or other third parties, and whether the company has processes to oversee material risks associated with use of a third party provider.