Dive Brief:
- Companies facing sharper regulatory scrutiny of their cyber weaknesses need to coordinate employees devoted to cybersecurity with those responsible for disclosing cyberattacks, according to Brent Wilner, a Securities and Exchange Commission (SEC) senior counsel.
- “What you have here is sort of this disconnect between the real cybersecurity experts — the people who can, you know, the CISOs that understand the nature of the incident, the nature of the breach, the nature of the information that’s been exposed — and the people who are making the disclosure,” according to Wilner, senior advisor to the SEC’s Crypto Assets and Cyber Unit.
- “Public companies need to be mindful of how they can bridge that gap,” Wilner said Thursday at Securities Enforcement Forum West. “This is really critical.”
Dive Insight:
The SEC under Chair Gary Gensler has bolstered investor protections against losses in crypto markets and mismanagement of cyber risks.
The SEC in March proposed tougher, more detailed rules for cybersecurity disclosure, including deeper company reports on cyberattacks and regular filings on cyber risk management, governance and strategy. Companies would need to report breaches within four days.
“Consistent, comparable and decision-useful” disclosure standards “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” Gensler said before the commission approved the proposal in a 3-1 vote.
Gensler this month announced plans to expand the SEC’s Cyber Unit to 50 enforcers from 30, adding investigative staff attorneys, trial counsels and fraud analysts and renaming it as the Crypto Assets and Cyber Unit.