Paul Bergman

Category: Cyber and the Board

  • Espionage: Why US Companies Should Pay Attention to Breaches in Asia

    Espionage: Why US Companies Should Pay Attention to Breaches in Asia

    Introduction

    As cyber espionage campaigns targeting telecom operators intensify, US companies need to be vigilant. A recent report highlights a sustained campaign by Chinese espionage groups targeting telecom operators in Asia. Given the critical nature of telecommunications infrastructure and its role in national security, US companies must recognize the potential risks and adopt robust cybersecurity measures.

    Key Insights from the Report

    The espionage campaign, which began in 2021, involves advanced malware tools like Coolclient, Quickheal, and Rainyday. These tools enable attackers to gain deep access to targeted networks, allowing them to steal sensitive information and disrupt services. The campaign’s sophistication and persistence underline the need for heightened awareness and proactive defense strategies.

    Why US Companies Should Be Concerned

    1. Global Interconnectivity: The global nature of telecommunications means that breaches in one region can have ripple effects worldwide, including in the US.
    2. National Security: Telecom infrastructure is a critical component of national security. Breaches could potentially compromise sensitive government and corporate communications.
    3. Economic Impact: Cyber espionage can lead to significant financial losses, not just from direct theft but also from the cost of mitigating breaches and restoring systems.

    Suggested Mitigations

    To defend against such threats, US companies should consider implementing the following measures:

    1. Enhanced Monitoring: Continuously monitor network traffic for unusual activities that could indicate an intrusion.
    2. Regular Updates and Patching: Ensure all software and hardware are up-to-date with the latest security patches.
    3. Advanced Threat Detection: Utilize advanced threat detection systems to identify and mitigate threats in real-time.
    4. Employee Training: Conduct regular training for employees to recognize phishing attempts and other common attack vectors.
    5. Incident Response Plan: Develop and regularly update an incident response plan to quickly address any security breaches.
    6. Multi-Factor Authentication: Implement multi-factor authentication (MFA) to add an extra layer of security for accessing sensitive systems.
    7. Network Segmentation: Segment networks to limit the spread of malware and restrict access to critical systems.

    Conclusion

    The evolving threat landscape requires US companies to remain vigilant and proactive. By adopting these suggested mitigations, they can better protect their networks from sophisticated espionage campaigns and ensure the integrity of their operations. For detailed information on the recent espionage campaign and specific indicators of compromise, visit the Symantec Threat Intelligence blog.

  • What is IOC Pivoting?

    What is IOC Pivoting?

    IOC Pivoting refers to a method used in cybersecurity for threat detection and analysis. IOC stands for Indicator of Compromise, which is any piece of data that can identify potentially malicious activity on a system or network. Pivoting involves using these indicators to uncover further related indicators, thereby allowing security analysts to trace the path of an attacker and understand the scope of a security incident.

    Here’s a breakdown of how IOC Pivoting works:

    1. Identify an IOC: An initial indicator is identified. This could be anything from a suspicious IP address, a specific file hash, domain name, URL, or email address associated with known malicious activity.
    2. Analyze the IOC: The identified IOC is analyzed to extract additional information. For example, if a suspicious IP address is found, analysts might look at the domains associated with that IP or other connections made from that IP.
    3. Expand the Investigation: Using the information gathered from the initial IOC, analysts look for other IOCs. This might involve checking logs, databases, and other sources for related activity.
    4. Pivot to New IOCs: Each new IOC found is then used to pivot further. For example, a discovered domain might lead to finding associated email addresses or additional IP addresses.
    5. Map the Attack Chain: By continuously pivoting from one IOC to another, analysts can map out the attack chain, understanding how the attack unfolded, identifying all compromised systems, and determining the methods used by the attackers.
    6. Mitigate and Prevent: The information gathered through IOC Pivoting helps in creating effective mitigation strategies and improving defenses to prevent future attacks.

    This process is essential in advanced threat detection and incident response, as it helps in uncovering the full extent of an attack and understanding the tactics, techniques, and procedures (TTPs) used by cyber adversaries.

  • The Imperative for Cyber Talent on Corporate Boards

    The Imperative for Cyber Talent on Corporate Boards

    In an era where digital threats loom large over corporations, the integration of cyber governance within the boardroom is not just a strategic advantage but a necessity for safeguarding shareholder value. A recent study highlighted by David Strom on Dark Reading reveals a compelling narrative: corporations that embrace cyber governance are not just better protected; they’re significantly more valuable.

    The Value Proposition of Cyber Governance

    The study, a collaborative effort between Bitsight and Diligent Institute, delves into the cybersecurity practices of over 4,000 mid-to-large-sized companies worldwide. It uncovers a striking correlation between cybersecurity expertise and shareholder returns over both three and five-year periods. Specifically, companies that have dedicated efforts towards robust cyber governance have created nearly four times the shareholder value compared to those lagging in this area.

    Specialized Committees: The Game Changer

    One of the study’s key findings is the pivotal role of specialized committees in enhancing a company’s security posture and financial performance. Boards that delegate cyber oversight to these committees, particularly those with at least one cyber expert member, are more likely to see improvements in their overall security and financial outcomes. This approach allows for a deeper dive into specific cybersecurity issues, fostering stronger executive relationships and more informed decision-making at the board level.

    A Call to Action for Corporate Boards

    Despite the clear benefits, the study reveals a stark reality: a vast majority of companies have yet to integrate cybersecurity specialists into their boards effectively. Only a small fraction of surveyed companies, including 12% of S&P 500 firms, have such experts on their boards. This gap underscores a critical need for corporate boards to reassess their composition and governance structures to integrate cybersecurity expertise effectively.

    Beyond Compliance: Cybersecurity as a Strategic Asset

    The conversation around cybersecurity in the boardroom needs to shift from viewing it as a mere compliance requirement to recognizing it as a strategic asset. Cybersecurity expertise not only protects the company from digital threats but also opens avenues for revenue creation and operational agility. As the digital landscape evolves, so too should the strategic approach to cybersecurity governance at the highest levels of corporate leadership.

    What Can We Expect?

    The evidence is clear: integrating cyber talent into corporate boards is not just a matter of security—it’s a strategic imperative that significantly enhances shareholder value. As companies navigate the complexities of the digital age, those that prioritize cyber governance within their boardrooms will not only safeguard their assets but also position themselves for unparalleled growth and resilience.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

    References:

    Dark Reading: Corporations With Cyber Governance Create Almost 4X More Value

  • The Imperative for Senior Leaders Understand Cyber Threats

    The Imperative for Senior Leaders Understand Cyber Threats

    In an era where digital transformation dictates the pace of business operations, cybersecurity has transcended its traditional IT boundaries to become a cornerstone of executive leadership responsibilities. A recent advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) underscores a grave and escalating threat landscape that demands immediate and strategic attention from the highest levels of organizational leadership. This advisory, titled “PRC State-Sponsored Actors Compromise U.S. Critical Infrastructure,” serves as a clarion call for C-level executives to reassess and fortify their cybersecurity postures against state-sponsored cyber activities.

    Understanding the Advisory

    The advisory details the sophisticated methods employed by the People’s Republic of China (PRC) state-sponsored actors to infiltrate and compromise U.S. critical infrastructure. These cyber operations are not opportunistic; they are strategic, aiming to undermine national security, economic vitality, and the very fabric of societal trust. The implications of such breaches extend beyond immediate operational disruptions, posing long-term risks to national interests and corporate integrity.

    The Role of Executive Leadership

    As strategic stewards of their organizations, C-level leaders are uniquely positioned to drive a culture of cybersecurity resilience. The advisory is not just a technical report; it is a strategic document that highlights the need for a top-down approach to cybersecurity. Executive leaders must:

    1. Champion Cybersecurity as a Strategic Priority: Cybersecurity must be integrated into the core strategic planning processes, aligning with business objectives and risk management frameworks.
    2. Foster Interdepartmental Collaboration: Breaking down silos between IT, cybersecurity, operations, and other business units is crucial. A unified front is more effective in identifying vulnerabilities, responding to threats, and ensuring business continuity.
    3. Invest in Advanced Cybersecurity Solutions: Leveraging state-of-the-art cybersecurity technologies and services is essential. This includes threat intelligence, advanced monitoring, and incident response capabilities tailored to counter state-sponsored cyber activities.
    4. Promote Cybersecurity Awareness and Training: Building a culture of cybersecurity awareness across all levels of the organization is vital. Regular training and simulations can prepare the workforce to recognize and respond to cyber threats effectively.
    5. Engage with Government and Industry Partners: Collaboration with government agencies, such as CISA, and industry peers can provide valuable insights, share best practices, and enhance collective defense strategies against common threats.

    Moving Forward

    The advisory from CISA is a stark reminder of the sophisticated and persistent nature of state-sponsored cyber threats. It is imperative for C-level executives to take a proactive stance, leveraging their strategic acumen and leadership to safeguard their organizations. The responsibility to protect critical infrastructure and maintain trust in the digital economy is a shared one, requiring concerted efforts across the public and private sectors.

    In conclusion, the call to action is clear: C-level leaders must prioritize cybersecurity, not just as a technical issue, but as a strategic imperative critical to their organization’s resilience, competitive advantage, and long-term success. The advisory serves as a roadmap for action, urging leaders to reassess their cybersecurity strategies, invest in robust defenses, and cultivate a culture of security awareness and collaboration. The time to act is now, to ensure the safety, security, and prosperity of our organizations and the nation at large.

    Read more about the CISA Joint Cybersecurity Advisory.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Do CISOs Serve as Human Shields for the Board?

    Do CISOs Serve as Human Shields for the Board?

    In a revealing article by Noah Barsky on Forbes, the recent actions of Clorox following a major cyberattack pose critical questions about the role and treatment of Chief Information Security Officers (CISOs) in corporate governance. This is certainly not unique, the CISO is often the sacrificial lamb after an incident.

    “It could be asked that if CEOs can suffer when earnings are bad, so isn’t this the same?”

    The answer is no because the CEO should have the power to implement what is needed. The CISO is often not as empowered and must make the best with what they are given. In essence, the CISO could be handed a losing hand from the beginning with no power to change it.

    In the case of Clorox suffering one of 2023’s most costly cyberattacks, which disrupted production and significantly impacted revenues and valuation, Clorox’s response was telling. The company chose to empower and enrich its board and C-suite, while simultaneously announcing the departure of its CISO, Amy Bogac. This move highlights a concerning trend where CISOs are positioned in a precarious situation, expected to manage cybersecurity risks without adequate support or recognition, and often bearing the brunt of responsibility in the event of a breach.

    The article points out several governance issues in Clorox’s approach:

    • The lack of direct mention of cybersecurity in the opening statements of the CEO and outgoing chair in the proxy statement.
    • The reappointment of all board directors without any professional IT or cybersecurity experience.
    • No establishment of a dedicated technology or cybersecurity committee.
    • The cyber preparedness plan, despite the significant breach, showed no substantial updates from previous years.

    This situation at Clorox exemplifies a broader issue in corporate governance where there is a disconnect between boards and cybersecurity leaders. The article cites a survey indicating that many board members still feel unprepared for cyberattacks and have limited interaction with their CISOs.

    Reflection:

    • How can companies better integrate cybersecurity into their corporate governance and board responsibilities?
    • What steps should be taken to ensure CISOs are not merely scapegoats but are empowered to effectively manage cybersecurity risks?
    • Is the current corporate structure adequate to address the evolving challenges of cybersecurity, or are more radical changes needed?

    Read the Forbes article here: Clorox Scapegoats Cyber Chief, Rewards Board After Crisis (forbes.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Are boards and CISOs finally aligning? Not in Healthcare.

    Are boards and CISOs finally aligning? Not in Healthcare.

    Great findings from the Proofpoint 2023 Survey! It’s worrying that Healthcare boards and CISOs aren’t talking enough, especially with rising cyber threats. ????????️

    In general, the collaboration between CISOs and board members has significantly improved, providing optimism that views on cybersecurity in the boardroom are evolving. It’s no longer seen merely as a compliance requirement but as a strategic asset that can influence business direction. This enhanced partnership seems to be elevating the board’s confidence in cybersecurity matters. Even amid worries about potential cyber threats and readiness gaps, board members express a sense of assurance and command over their security stance.

    The fact that healthcare boards are lagging in this area is a wake-up call for the industry. Regular executive sessions between the board and the CISO should be considered not just a “leading practice” but a necessity. It’s high time for healthcare boards to prioritize cybersecurity in their governance models. ????????

    It’s crucial for boards to understand that cybersecurity is not just an IT issue but a strategic risk that can have significant implications on operations, clients, compliance, and public trust. The CISO’s role is pivotal in navigating these complexities, and their insights should be a regular feature in board discussions.

    A highlight in the report is that of all countries responding, the US is most likely to have board members and CISOs agree that they see eye-to-eye with each other. Also, 67% say that the CISO adequately supports them. However, more CISOs feel their organization is at risk of a material attack in the next 12 months than boards do.

    #CISO #HealthcareCybersecurity #BoardGovernance #QTE #CORPGOV

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Three mistakes companies make in cybersecurity

    Three mistakes companies make in cybersecurity

    Throughout my consulting career, I have had the opportunity to guide numerous companies through challenging situations arising from inadequate cyber maturity. While each case presented its unique challenges, I consistently observed three major mistakes that companies tend to make when approaching cybersecurity. These mistakes, if left unaddressed, can leave organizations vulnerable to significant risks and potential cyber threats. By understanding and rectifying these mistakes, companies can strengthen their cybersecurity posture and mitigate potential damage.

    Mistake 1: Relying Solely on Compliance-Focused Programs

    One common mistake is relying solely on compliance-focused security programs, which prioritize meeting regulatory requirements such as PCI DSS, HIPAA, SOC 2, and ISO 27001. While compliance is important, it alone does not provide comprehensive protection against cyber threats. This approach often leads to a false sense of security and reactive measures that only address known risks and vulnerabilities. In today’s ever-evolving threat landscape, this approach falls short as cybercriminals constantly develop new attack methods. Compliance-focused programs are fragmented and do not adapt well to the changing nature of cyber threats. Organizations need a proactive and comprehensive security strategy that goes beyond compliance to effectively defend against evolving threats.

    Mistake 2: Treating Security as Solely an IT Problem

    Treating cybersecurity as solely an IT problem is another mistake that fails to recognize it as a business risk requiring board-level oversight. Cybersecurity impacts the entire organization and extends beyond technical aspects. Breaches can result in substantial financial losses, reputational damage, and loss of trust. Viewing cybersecurity as solely an IT issue leads to siloed thinking, inadequate investment allocation, and a lack of accountability at the highest levels. It overlooks the importance of cross-functional collaboration, cultural change, and non-technical factors such as employee training, incident response planning, and third-party risk management.

    Mistake 3: Thinking a Penetration Test Implies Security

    A misconception is assuming that conducting a penetration test guarantees complete security. While penetration testing is valuable for identifying vulnerabilities, it does not provide a comprehensive solution on its own. Organizations often rely solely on penetration testing without addressing other critical aspects of cybersecurity. It offers a snapshot of security at a specific time, but cannot account for emerging threats or ongoing changes. Robust security requires a layered approach, including regular assessments, vulnerability management, training, incident response planning, and continuous monitoring. Recognizing the limitations of penetration testing and implementing a comprehensive security program helps protect against evolving threats and enhances overall security.

    To address these challenges, organizations must adopt a holistic approach to cybersecurity. Indeed, I first considered this to be a fourth mistake for the list but see it more as a method. It should be treated as a business problem and an enterprise-wide risk. It also must align with the business objectives of the company. This approach involves integrating regulatory requirements into a broader security strategy and engaging the entire organization, including the board of directors. By recognizing cybersecurity as a strategic concern, organizations can develop a comprehensive and systemic approach that encompasses people, processes, and technology.

    Tracc Development offers cybersecurity consulting services to small businesses. If you are a board member looking for great advice, consider EgonZehnder.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Cybersecurity: The Corporate Dental Visit (and Ignored Just as Much)

    Cybersecurity: The Corporate Dental Visit (and Ignored Just as Much)

    Picture this: You’re sitting in the dentist’s chair, mouth agape, as the dental hygienist meticulously scrubs away plaque and tartar, while the dentist peers into the depths of your oral cavity, searching for any signs of trouble. It’s a routine you faithfully follow, knowing that neglecting your dental health can lead to painful cavities or dreaded root canals. But have you ever considered the striking resemblance between this experience and the realm of cybersecurity? Yes, you heard it right! Cybersecurity is like the corporate version of a dental visit – I’ll admit, it’s an odd comparison but bear with me.

    Amidst discussions about profits, market strategies, and expansion plans, cybersecurity is often forgotten. Like an unnoticed cavity silently eroding dental health, cybersecurity is often disregarded or pushed aside by CEOs and corporate boards. Perhaps it’s the complex jargon or the misconception that cybersecurity is merely “an IT department’s concern”. (Boards Are Having the Wrong Conversations About Cybersecurity, Harvard Business Review) Regardless, this lack of attention leaves businesses vulnerable to an array of threats, just as neglecting dental health can lead to excruciating toothaches except in this case the toothache could lead to a life-threatening issue for the organization.

    Still struggling with the corporate dental visit analogy? Let me draw some more parallels:

    Preventive Care: Just as you visit the dentist regularly to prevent dental problems, cybersecurity also emphasizes preventive measures. In cybersecurity, implementing strong security measures, such as firewalls, antivirus software, and regular system updates, helps to prevent potential threats and vulnerabilities.

    Regular Check-ups: Dentists recommend routine check-ups to identify any dental issues early on. Similarly, cybersecurity professionals conduct regular audits and assessments to identify vulnerabilities in systems and networks. By detecting weaknesses in advance, they can address them promptly and prevent potential breaches or cyberattacks.

    Education and Awareness: Dentists educate patients about proper oral hygiene practices and the importance of regular brushing, flossing, and dental visits. Likewise, cybersecurity professionals promote education and awareness about safe online practices, such as creating strong passwords, recognizing phishing attempts, and being cautious while sharing personal information online.

    Patching and Maintenance: Dental procedures often involve fixing cavities or performing dental cleanings. Similarly, in cybersecurity, regular maintenance tasks include patching software vulnerabilities, updating security protocols, and ensuring systems are protected against emerging threats. These actions help to maintain a strong cybersecurity posture.

    Many former executives were leaders before the current cybersecurity environment, and may not bring expertise, or even an approach for gaining that expertise, to their boards

    Lucia Milică & Dr. Keri Pearlson, Harvard Business Review

    Reactive Measures: In some cases, despite preventive efforts, dental problems may arise, such as tooth decay or gum disease. Similarly, in cybersecurity, despite taking precautions, breaches or attacks can still occur. Both dentists and cybersecurity professionals must respond promptly to address these issues and mitigate the damage caused.

    Specialist Expertise: Dentistry and cybersecurity both require specialized knowledge and expertise. Dentists undergo years of education and training to understand oral health, perform procedures, and provide expert advice. Similarly, cybersecurity professionals acquire in-depth knowledge of information security, emerging threats, and defense mechanisms to safeguard systems and data.

    Continuous Improvement: Dentistry and cybersecurity are constantly evolving fields. New techniques, technologies, and threats emerge regularly, requiring professionals to stay updated with the latest developments. Dentists attend conferences and workshops, while cybersecurity experts engage in ongoing training and certifications to enhance their skills and adapt to the evolving threat landscape.

    Long-term Health: Regular dental care is essential for maintaining long-term oral health. Likewise, a robust cybersecurity strategy is crucial for the long-term well-being of organizations, ensuring the confidentiality, integrity, and availability of sensitive data and systems.

    While cybersecurity and going to the dentist may seem different on the surface, they share similarities in terms of preventive care, regular check-ups, education, maintenance, reactive measures, specialist expertise, continuous improvement, and the focus on long-term health. Both emphasize the importance of proactive measures to prevent problems and the need for expert care to address any issues that arise.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Hackers Attempt to Taunt and Embarrass with Leaked Emails and Videos

    Hackers Attempt to Taunt and Embarrass with Leaked Emails and Videos

    The cybercriminals known as ALPHV, or BlackCat, have released screenshots of internal emails and video conferences that they allegedly obtained from Western Digital, suggesting that they maintained access to the company’s systems even after the breach was detected. This leak followed a warning from ALPHV on April 17th that they would escalate their attacks on Western Digital unless a ransom was paid. On March 26th, Western Digital experienced a cyberattack that resulted in data theft, but no ransomware was deployed. In response, the company shut down its cloud services for two weeks. TechCrunch initially reported that an anonymous group breached Western Digital and stole ten terabytes of data, which included files signed with the company’s stolen code-signing keys and unlisted phone numbers. ALPHV later threatened to release the stolen data unless a ransom was paid. The group has now taunted and embarrassed Western Digital by releasing screenshots of internal emails and video conferences related to the company’s response to the attack. The leaked data includes a message from the hackers claiming to have customers’ personal information and a complete backup of Western Digital’s SAP Backofffice implementation. Although the data appears to be authentic, its source and whether it was stolen during the attack could not be independently verified by BleepingComputer. Western Digital has not yet negotiated a ransom, which has resulted in further threats from the hackers. The company has declined to comment on the leaked screenshots and the hackers’ claims.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • The Pending SEC Cybersecurity Rule: What Boards Must Know

    The Pending SEC Cybersecurity Rule: What Boards Must Know

    The U.S. Securities and Exchange Commission (SEC) has proposed new cybersecurity regulations for companies that fall under its regulatory umbrella. This proposal has been in development for some time, and highly needed to address growing cybersecurity risk. In this article, we will outline the key components of the proposed rule and explain why it is important for all boards, not just those with public companies.

    Overview of the proposed SEC Cybersecurity rule

    The proposed SEC rule has four main components. First, it requires companies to have written cybersecurity policies and procedures that are designed to protect the confidentiality, integrity, and availability of their information systems (commonly referred to as the CIA triangle). These policies and procedures should be tailored to the specific risks and vulnerabilities of the company and should be regularly reviewed and updated.

    Second, the proposed rule requires companies to implement controls to ensure that their employees, contractors, and partners are trained and knowledgeable about cybersecurity risks and best practices. This includes regular training and awareness programs, as well as policies and procedures for reporting cybersecurity incidents and suspicious activity.  It is these controls that are the focus of most certification programs such as: ISO 2X001, SOC 2, CMMC, PCI, etc.

    Third, the proposed rule requires companies to conduct regular risk assessments to identify and assess the likelihood and potential impact of cybersecurity threats and vulnerabilities. These risk assessments should be conducted by qualified personnel or third-party experts and should be reviewed and updated on a regular basis. In our opinion, all boards should consider external agencies for these assessments to mitigate conflict of interest. (i.e. The CIO may be conflicted to report security leaks to the board since they are in charge of building and managing a secure network.)

    Finally, the proposed rule requires companies to maintain a comprehensive incident response plan that outlines the steps they will take in the event of a cybersecurity incident. This plan should be designed to minimize the impact of an incident, contain the damage, and restore normal operations as quickly as possible.  This may sound like operations to a board, but there is a component all boards should consider: public review. In the face of an incident, the public may get involved and board members may be asked for statements. It is important that the board be aware of who the spokesperson should be and that person should be well trained in answering questions.

    Corporate Boards need an outside point of view

    Why the proposed SEC Cybersecurity rule is important

    Many board members incorrectly minimize cybersecurity, classifying it as an operational issue. There are several reasons why the proposed SEC Cybersecurity rule addresses this head on. First, cybersecurity threats are an ever-present risk for companies of all sizes and industries. Cyberattacks can result in significant financial losses, reputational damage, and legal liability. Each of these risks fall squarely in the realm of board oversight.  The proposed rule will force public companies to disclose cybersecurity and that will force boards to better understand and manage their cybersecurity risks.

    Second, the proposed rule will help to create a more consistent and standardized approach to cybersecurity risk management across the companies regulated by the SEC. This will make it easier for investors, analysts, and other stakeholders to compare and evaluate the cybersecurity risk profiles of different companies. It will also make it easier for the SEC to monitor and enforce compliance with the rule.

    Third, the proposed rule will require disclosure of cybersecurity expertise on the board. Akin to Sarbanes Oxley requiring boards to have financial expertise, this may be a significant advancement of how boards view cybersecurity. It will help to promote a culture of cybersecurity within companies. By requiring companies to implement cybersecurity policies, training programs, risk assessments, and incident response plans, the proposed rule will encourage companies to take a proactive approach to cybersecurity risk management. This will help to ensure that cybersecurity is given the attention it deserves at all levels of the organization.

    Finally, the proposed rule will help to enhance transparency and accountability around cybersecurity risk management. By requiring companies to disclose information about their cybersecurity risks and practices, investors and other stakeholders will have better visibility into the cybersecurity risk profiles of the companies they invest in or do business with. This will help to promote better decision-making and risk management across the entire ecosystem.

    Presentation to the board

    Why should private companies care about this?

    Private and nonprofit companies are not regulated by the SEC, so why should this matter? Again, we look at Sarbanes Oxley Act for how this may play out.  Twenty years ago SOX changed the boardrooms of public companies to mandate financial expertise on the board. Today all boards have financial expertise on the board, private and nonprofits included.  The simple truth is that private companies tend to align to industry best practices, often set by public companies. As public boards change, we will see a parallel change in private companies. 

    Conclusion

    The proposed SEC Cybersecurity rule is an important step forward in improving the cybersecurity risk management practices of companies regulated by the SEC. It will help to reduce the likelihood and impact of cyber incidents, create a more consistent and standardized approach to cybersecurity risk management, and promote a culture of cybersecurity within companies. Additionally, the rule will establish best practices which will effect private and nonprofit boards as well. As such, it is essential that board-level professionals familiarize themselves with the proposed rule and take steps to ensure their organizations are compliant if and when the rule is finalized.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.