Nov. 12, 2022
FROM: Joey Hernandez Even though I support reporting cyber incidents in general, the SEC's proposed rule is different from almost all other rules because the reporting will be made public in a short amount of time. Importantly, the SEC's proposed rule makes a difference between incidents that have been stopped or fixed and those that have not yet been mitigated. The proposed rule would require publicly traded companies to report cybersecurity incidents on public forms within four days of deciding that the incident is important. When the information is out in the open, both attackers and investors can use it and if an uncontrolled or unmitigated cyber incident gets out to the public, attackers are likely to do things that hurt investors even more through further exploitation. Cheers, -- Joey Hernandez Team Lead, Incident Response Consulting Secureworks®