Cyber Fundamentals: Ready or Not, Here it Comes!

Cyber Risk Management Chronicles, Episode VII

Lockhaven Solutions Logo
Image: Lockhaven logo

From a regulatory perspective, many industries have been living in the land of milk and honey as cyber programs have largely been guided by voluntary measures. However, regulator’s patience has grown thin with the public private partnership / voluntary measures approach and, as a result, cybersecurity regulation is on the way. 

Under SEC rules expected to be finalized within months, publicly traded companies that determine a cyber incident has become “material” (and could have a significant impact on the business) must disclose details to the SEC and investors within 4 business days.

James Dever Esq., Principal of Lockhaven Solutions

We know that change is coming on a national level as the pending Biden cyber strategy is strongly considering regulation as a means to better accomplish more consistency in national approach. But what about individual regulators? Well, some of them are certainly not sitting on their hands- most notable the Security and Exchange Commission (and the New York Department of Financial Services). 

Reporting and responsibility are the two biggest changes coming down the pike. Under SEC rules expected to be finalized within months, publicly traded companies that determine a cyber incident has become “material” (and could have a significant impact on the business) must disclose details to the SEC and investors within 4 business days. That requirement also stands when “a series of previously undisclosed, individually immaterial cybersecurity incidents has become material in the aggregate.”

The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cybersecurity and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk.

James Dever Esq., Principal of Lockhaven Solutions, says that increasing the onus on boards will help ensure cyber programs are dealt with like other business risk, “Cybersecurity is a strategy, not a technical solution” says Dever, “the change in approach driven by this regulation will finally help align risk with strategy, something that has been severely lacking in industries that attempt to deal with cyber risk simply by employing ever-more expensive technical solutions.” Dever added, “in addition, this will help improve accountability to shareholders, an issue sorely lacking in the cyber context.”

Beyond the increase to reporting and responsibility, what is the practical “so what” of these regulators getting more involved in the cyber space? These regulators can also impose enforcement actions and levy massive fines, which, in the financial crimes world, have amounted to hundreds of millions of dollars.  

Safe to say things are changing and businesses need to face into these new requirements as soon as possible as more regulators will likely be following the lead of the SEC and NYDFS in 2023.


Dr. Jack Dever & James Dever, Lockhaven Solutions

Dr. Jack Dever is CEO and Co-Founder of Lockhaven Solutions, a professional services company specializing in tailored, risk-based solutions for our digital world. Jack served as FBI Assistant General Counsel where he advised on global cyber operations against nation state actors and Tier 1 operations against terrorist organizations. He was an Assistant US Attorney for the Northern District of Illinois (Chicago) and served on active duty in the US Army as a Judge Advocate. He deployed multiple times to war zones and is a highly decorated combat Veteran. After leaving government service, but before founding Lockhaven, Jack was an Executive at General Electric where he served as Global Crisis Management Leader and developed the Business Intelligence Cyber Fraud Unit. He was also an Executive at several of the world’s largest banks including GE Capital, Wells Fargo, and UBS. He holds a doctorate in Cyber Law and is Co-Director at the Center for National Security and Human Rights Law in Chicago. James Dever is Co-Founder and Principal of Lockhaven Solutions. James is a former US Air Force Professor of Cyber Warfare. In partnership with Air Force and NSA Cryptologic School colleagues, he designed and taught new graduate programs in Cyber Strategy for senior military officers and DoD civilians. He served on active duty in the US Army. He was the senior Cyber Warfare Judge Advocate at Army Cyber Command where he advised on global offensive, defensive, and DoD information network missions. He also served as Chair of the Law Department at the Army Intelligence School. Prior to military service, he was an attorney at Deloitte Cyber Risk where he facilitated enterprise cyber risk management for Fortune 100 companies and partnered with the National Institute of Standards and Technology (NIST) to develop the Trusted Identities in Cyberspace and Privacy Engineering programs. He is Co-Director of the Cyber Risk Management for Executives Program in Chicago and a member of the Board of Directors at the Journal of Law & Cyber Warfare.