The newly expanded SEC Rule 17 covering Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure goes into effect on December 15, 2023. The rules require public companies to disclose the policies and procedures, if any, for the identification and management of cybersecurity threats, including operational risk (i.e., disruption of business operations), intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other legal and reputational risk. The rules also require companies to disclose material cybersecurity incidents within 4 days on a Form 8-K.
With the deadline looming, CISOs and other executive stakeholders should answer these four critical questions:
1. What Are the “Crown Jewels,” or Assets Our Business Functions Rely on?
Crown jewels are the assets that run critical operations and ensure functionality of the business. Compromise of these critical assets and their networks could have severe safety, financial and/or reputational consequences for the business. Identifying these assets is an essential first step in any effective risk management strategy.
CISOs should work closely with department heads and executives to pinpoint these key infrastructure components and how they might be impacted by a cyber incident. To do this well, a thorough inventory of all IT, OT and IoT devices across the business will be essential. Once identified, these assets should be ranked by priority in terms of risk mitigation measures and incident response planning...Read More!
