Cyber compliance: Cohesity reacts to SEC announcements
July 2023 by Cohesity
The U.S. Securities and Exchange Commission (SEC) published new requirements for publicly traded companies. They are now required to disclose all significant cyber incidents within four business days, and to publish detailed information on their cyber risk management, strategy and governance on an annual basis.
In France, the Ministry of the Interior’s orientation and programming law (Lopmi) also requires companies that have been victims of ransomware cyberattacks to file a complaint within 72 hours if they wish to benefit from assistance and reimbursement of a cyber ransom by their insurance.
In addition, the European NIS 2 directive, due to come into force in member states in the second half of 2024, imposes a new regulatory framework for cyber risk management, particularly in terms of analyzing the measures put in place for information systems security, business continuity, backup management and disaster recovery, as well as crisis management.
The question of critical and sensitive data, their clear identification and the protection measures put in place will therefore be at the heart of this new regulatory framework. In the United States, the SEC goes further, requiring affected companies to disclose the material impact of the attack, particularly in terms of the most critical data.
However, for Mark Molyneux, CTO EMEA at Cohesity, "Most companies will find it difficult to properly assess the value of data that has been stolen, altered, accessed or used for other unauthorized purposes, as much is hidden in the dark." Gartner refers to this as "Dark Data", which could represent up to 75% of a company’s total data. To best prepare for this new legislative framework, "Companies need to equip themselves with a modern, robust and intelligent system for safeguarding and classifying their data, not only to meet current compliance and transparency requirements, but also and above all, to counter the exponential threat of cyber-attacks, which are becoming ever more sophisticated and pernicious" continues Mark Molyneux.
While these new rules carry notorious penalties - with the SEC imposing fines of $6.4 billion in 2022 alone - listed companies in the USA need to get their act together. Europe is not to be outdone, particularly as the NIS 2 directive approaches entry into force.