The Weekly Breach Breakdown Podcast by ITRC - You Talkin To Me - S4E8

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 7, 2023. Thanks to Sentilink for their support of the podcast. Each week, we look at the most recent events and trends related to data security and privacy. This week, we look at the possibility of stricter rules regarding those in the private sector disclosing a cybersecurity incident and cyber expertise around corporate brands.

While most trade groups and vendors from the cybersecurity industry support the proposed rules, some still do not. All of this leads us to the title of today’s episode, an iconic – and unscripted – line from Robert De Niro in the 1976 film Taxi Driver, “You Talkin to Me?” While the movie may not apply to the topic, the famous line certainly does.

Final Ruling to Come on Proposed Rules Promoting Transparency

Over a year ago, the U.S. Securities and Exchange Commission (SEC) proposed rules designed to increase transparency, including a mandate that publicly traded companies disclose a “material cybersecurity incident” within four business days of discovery. Federal regulators also said investors should know whether board members are competent in handling cybersecurity issues.

ISMG reports that regulators plan on disclosing a final ruling this month. It is unclear whether or not the publications will reveal significant changes from the proposed rules or when the SEC will begin enforcement.

Not All in the Cybersecurity Industry Support the Changes

While most in the cybersecurity industry supported the proposed rules, cybersecurity group Rapid7 has concerns that they have shared with the SEC. They fear companies will give bad information within a couple of days of a cybersecurity incident to try and navigate the overlapping requirements. There is also concern from some about publicly revealing an incident doing little for an incident response.

What the Changes Could Mean

Despite the concerns, requirements could lead to security incidents moving more quickly. Companies may also need more straightforward policies for when cyber incidents escalate up the food chain. The governance disclosure proposal did not mandate organizations to appoint a cyber expert to their board. However, companies could react to the final rule by doing so.

What will be decided as the SEC eyes final rules on incident disclosure and board expertise remains unclear. With that said, forcing firms to disclose a cybersecurity incident in four days could be a step towards much-needed transparency in the space, despite some of the concerns. It could force companies to document their knowledge and decisions and formalize risk management procedures.

The results may leave some in the industry asking the SEC, “You Talkin’ to Me?” Yes, they are talkin’ to you.

ITRC Q1 2023 Data Breach Analysis

Next week, the ITRC will release its data breach findings for the first quarter of 2023. You can visit www.idtheftcenter.org/publications to download a copy of the report. ITRC Chief Operating Officer, James E. Lee, will also be back on the podcast next week to discuss the findings.

ITRC Breach Alert for Business Coming Soon

Also, the ITRC continues a beta test of a new service for businesses, Breach Alert for Business, that want to ensure they receive a notification when a data breach at a vendor or partner is entered into the ITRC’s data compromise database. For more information, fill out our interest form here and click “notified business alerts”. We will have more details in the coming weeks.

Contact the ITRC

If you want to know more about how to protect your business or personal information, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the podcast. We will return next week with another episode of the Weekly Breach Breakdown.