One year ago, the U.S. Securities and Exchange Commission (SEC) issued new cybersecurity disclosure requirements for public companies. These requirements were designed to improve transparency and accountability around cybersecurity risks. However, a new report from the Cybersecurity and Infrastructure Security Agency (CISA) finds that many companies are still struggling to comply with the requirements.
Key Findings of the CISA Report
The CISA report found that:
* Only 58% of companies have fully implemented the SEC’s cybersecurity disclosure requirements.
* 22% of companies have not yet implemented any of the requirements.
* The most common reason for non-compliance is a lack of resources.
* Companies are also struggling to find qualified cybersecurity professionals to help them implement the requirements.
The Rise of Scapegoating
The CISA report also found that there has been an increase in scapegoating in the wake of cybersecurity incidents. This occurs when companies blame their employees or vendors for the incident, rather than taking responsibility for their own shortcomings.
Scapegoating can have a number of negative consequences, including:
* It can damage the morale of employees and vendors.
* It can make it more difficult to attract and retain qualified cybersecurity professionals.
* It can erode public trust in companies.
Recommendations
The CISA report makes a number of recommendations to help companies comply with the SEC’s cybersecurity disclosure requirements and avoid scapegoating. These recommendations include:
* Develop a comprehensive cybersecurity program that includes policies, procedures, and training.
* Hire qualified cybersecurity professionals to help implement and manage the program.
* Regularly review and update the cybersecurity program to ensure that it is effective.
* Be transparent about cybersecurity risks and incidents.
* Take responsibility for cybersecurity incidents and avoid scapegoating.
Conclusion
The SEC’s cybersecurity disclosure requirements are an important step towards improving transparency and accountability around cybersecurity risks. However, many companies are still struggling to comply with the requirements. The CISA report recommends a number of steps that companies can take to improve their cybersecurity posture and avoid scapegoating.
Kind regards Dr. R. Hamilton