The MGM ransomware cyber-incident serves as a reminder that cyber-risks are business risks. The recommendations offered by CISA's Advisory Committee (Pillar I) contain prudent advice for CISA to help Corporate Officers and Directors understand cybersecurity practices needed to meet their obligations under the SEC Cybersecurity Regulations that go live in December 2023.

"Not every board member needs to be an expert in understanding and addressing the cybersecurity concerns of the company, but more board members need to be far better educated on how to understand cyber risk, how to better listen to and understand CISOs, and how to better evaluate the effectiveness of their companies’ cybersecurity plans. All board members should have a basic level of education on cybersecurity issues."

The Home Depot cybersecurity lawsuit brought by shareholders following a cyber-incident provides a sobering reminder of the personal liability risks to Officers and Directors "It blames the 12 individual defendants — 11 current and former directors and officers at Home Depot, as well as the company’s general counsel — for failure to oversee the company’s cybersecurity adequately."

Two articles posted in the recent past can help BoD members understand cyber-risks and vulnerabilities

I'm looking forward to seeing friends and colleagues on September 30 at the BSides CT conference hosted by Quinnipiac University where I'll present a talk on the the technical implementation steps to comply with SEC Cybersecurity disclosures for cyber-risk detection processes used in the software supply chain.