3 Interesting Articles

New SEC Cybersecurity Disclosure Rules
TalPoint: The U.S. Securities and Exchange Commission (SEC) has introduced new regulations to improve transparency regarding cybersecurity risk management, strategies, and incidents in businesses. Key aspects of the regulation mandate that companies must have cybersecurity expertise on their board, report on their cybersecurity risk management programs annually, and disclose significant cybersecurity incidents that could influence investment decisions. Companies are advised to assess their data inventory, potentially deleting unnecessary data and encrypting critical data. These rules will come into effect 30 days after their publication in the Federal Register, with specific forms having individual due dates. The overall goal is to maintain investor trust and market stability through clearer and consistent cybersecurity disclosures.

Cyber professionals say industry urgently needs to confront mental health crisis
CyberScoop: The rise of the coronavirus pandemic in early 2020 amplified the stress and workloads for many, but for cybersecurity professionals, the burden was even greater due to the responsibility of protecting health data transferred between major healthcare entities and the CDC. Despite being accustomed to demanding work hours, the weight of ensuring Americans’ data security during this critical time led to significant burnout for cyber professionals. This narrative is not unique; many cybersecurity experts face constant pressures, with some even leaving the industry due to overwhelming stress. A 2022 study found that two-thirds of cybersecurity professionals experienced high work stress levels, with half receiving medication for their mental health. The persistent mental health struggles in this sector have been exacerbated by the pandemic, and many are calling for stronger support structures and a focus on employee well-being.

Cooperating Federal Contractor Resolves Liability for Alleged False Claims Caused by Failure to Fully Implement Cybersecurity Controls
U.S. Department of Justice: Verizon Business Network Services has agreed to pay over $4 million to settle allegations under the False Claims Act that it failed to meet specific cybersecurity controls in IT services provided to U.S. federal agencies. The settlement is related to Verizon’s Managed Trusted Internet Protocol Service (MTIPS), which allegedly did not fully satisfy three essential cybersecurity controls between 2017 and 2021. After learning of the issue, Verizon self-disclosed, cooperated with government investigations, and took corrective actions. The Deputy Assistant Attorney General emphasized that the Department will continue to hold contractors accountable for failing to meet cybersecurity standards while crediting those that disclose and rectify misconduct. The case was part of the Department’s Civil Cyber-Fraud Initiative, aimed at penalizing deficient cybersecurity practices that put U.S. information or systems at risk.

2 Stats You Should Know

Over 55% of SaaS risk assessments find data leakage of customer data, PII and other data. (source)

Ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections.(source)

1 More Thing

Entering any data containing PII into GenAI products (ChatGPT, Bard, Bing AI Powered Search) may expose your company to liability. Did you know ChatGPT’s privacy policy states that customer consent is required if personal data is entered? If data is classified as private by GDPR, CCPA, or other privacy regulations, users must ask OpenAI to execute a data processing addendum. In the absence of education and internal policies governing the use of AI tools, most companies are taking on liability.