CR Industry Insights - July 2023

In March of 2022 the SEC proposed 7 new cybersecurity disclosure rules with an expected final publish date of April 2023. While this expected date has passed, the new rules are imminent. Companies, both public and private, should be utilizing this time to prepare for the upcoming mandatory governance and reporting requirements. 

The SEC’s proposed new cybersecurity disclosure rules include these items:

1. Report material cybersecurity incidents on Form 8-K within 4 business days from the date the registrant determines the incident is material.
2. Provide updated disclosure in periodic reports regarding any series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.
3. Describe the organization’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning and capital allocation.
4. Describe management’s role in assessing and managing such risk and in implementing the registrant’s cybersecurity policies, procedures, and strategies.
5. Describe management’s cybersecurity expertise (i.e., does the registrant have a CISO or comparable); their credentials; and to whom does the CISO report.
6. Describe the organization’s board oversight of cybersecurity risk.
7. Describe whether any member of the organization’s board has expertise in cybersecurity, and if so, the nature of such expertise.

While your auditors, counsel and finance professionals will be there to help you with the mandatory reporting requirements – including the subtle nuances of qualitative versus quantitative materiality – Critic Ready is here to help you prepare, document and test your cybersecurity incident readiness.

How should you prepare for these impending new rules? Practice.

We feel strongly that the best way to determine an organization’s true state of preparedness and ability to respond is to practice your incident response plan (IRP). Really practice it, not just “review” the plan. Practicing your IRP using a tabletop exercise is key to establishing confidence in your plan and helps ensure there are no gaps. 

Our tabletop exercises give members of your team the opportunity to:

• Better refine and rehearse their roles and responsibilities, 
• Identify outdated or incorrect information, 
• Improve team coordination reducing the risk of a critical misstep during an actual incident,
• Train secondary staff who are less familiar with the process or plans,
• Identify any issues, challenges and / or assumptions,
• Identify resources and means necessary to overcome any issues, challenges and / or assumptions, and
• Provide the opportunity for leaders to practice their crisis management leadership skills.

In addition to the upcoming mandatory governance and compliance obligations, other ancillary benefits from running tabletop exercises can include lowering your company’s cyber insurance expense, identifying any gaps in any gaps in customer reporting obligations, ensuring all your 3rd party vendors are identified and up-to-speed on their reporting and incident response obligations to you.

By improving your IRP processes before an incident occurs, you reduce the risk of a misstep during an incident such as: failing to include or obtain approval from the authorized manager; losing critical time during an incident; sub-par messaging being communicated to the public or customers; failing to preserve essential evidence; risking reputational damage; or even being denied cyber insurance coverage.

Your company has an existing IR plan. Your company has an impending mandatory SEC obligation. Shouldn’t you learn how your plan performs?

Contact us to learn about:

• Analysis of your IRP, and
• Tabletop programs to empower your organization and test your IRP.

About Critic Ready

Our founders are both subject matter experts with over 40 collective years working within the cyber security industry. They are an experienced duo with incident response tactical experience and policy/legal background. 

After years of recommending other companies to those in their networks who asked, they decided to start their own firm. Critic Ready services are designed for both tenured teams and those who are just organizing their efforts.

Specific, relevant roles and experience each founder has includes: 

• Implementing IRP tabletop exercises in public, military and private organizations for over 10 years.
• Extensive experience at the US Navy in Threat Intelligence/Cybersecurity providing operations and served as a trainer for Navy personnel; acknowledged with accolades and awards.
• Internal cyber security risk management and Threat Intelligence SME for various US government agencies.
• Senior technical cyber attorney serving both the US Government and private industry; Advisory Board Member UIC Law School and adjunct professor in cyber security and data privacy; National Academy of Science - Transportation Research Board project advisor; Computer Information Security Privacy Advisory Board, Dept. of Commerce; Member of both the California and Texas Bars.