Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor

CISA advisory committee urges action on cyber alerts and corporate boards

The MGM ransomware cyber-incident serves as a reminder that cyber-risks are business risks. The recommendations offered by CISA's Advisory Committee (Pillar I) contain prudent advice for CISA to help Corporate Officers and Directors understand cybersecurity practices needed to meet their obligations under the SEC Cybersecurity Regulations that go live in December 2023.

"Not every board member needs to be an expert in understanding and addressing the cybersecurity concerns of the company, but more board members need to be far better educated on how to understand cyber risk, how to better listen to and understand CISOs, and how to better evaluate the effectiveness of their companies’ cybersecurity plans. All board members should have a basic level of education on cybersecurity issues."

The Home Depot cybersecurity lawsuit brought by shareholders following a cyber-incident provides a sobering reminder of the personal liability risks to Officers and Directors "It blames the 12 individual defendants — 11 current and former directors and officers at Home Depot, as well as the company’s general counsel — for failure to oversee the company’s cybersecurity adequately."

Two articles posted in the recent past can help BoD members understand cybersecurity jargon, cyber-risks and vulnerabilities using everyday analogies we are all familiar with. There are also some valuable insights from the movie Titanic to help Officers and Directors prepare for SEC Cybersecurity Regulations

The FAIR Institute also provides some very useful advice to help Directors and Officers prepare for the December go-live for the SEC Cybersecurity Regulations:"Cyber risk management programs will have to be effective in helping measure and manage material risk"

 

I'm looking forward to seeing friends and colleagues on September 30 at the BSides CT conference hosted by Quinnipiac University where I'll present a talk on the the technical implementation steps to comply with SEC Cybersecurity disclosures for cyber-risk detection processes used in the software supply chain.