Dennis D.’s Post

I can hear the in drawn breath for people yelling no it's not material! If you don't give an exact number of affected records or details? Maybe it's not material unless you report it? Reality - hundreds of attempts are made to hack daily or hourly against most businesses, do you get to present a percentage stopped versus percentage you find later were successful? .000001% successful? .000000001% Blaming the victim, versus the criminals doesn't seem to help anyone and the shame and resultant denial culture is going to make it impossible to move forward.... I applaud the move there isn't enough disclosure.... or budget or staffing... The requirements are still too vague... why not reward disclosure?

🤔It’s not what you think it is🤔 Reporting cyber incidents are not for your interpretation. Knowing the rules of engagement and staying on top of them will save organizations millions of dollars. Don’t believe me? Check out this article from Dr. Blake Curtis, Sc.D sharing how costly this can be. Reporting cyber incidents is gaining momentum in the Government sector as well. Per #Florida Statute sections 282.318 and 282.3185, state and local governments are required to report ransomeware to the #CSOC, #FDLE and law enforcement. Federal requires reporting to #CISA within 72 hours from a critical infrastructure prospective. This is how we are made aware of cybersecurity issues and can collaborate on how to mitigate them. It’s not what you think that it’s a shame game. It’s not a matter of if but when it occurs, then what? Would you get sick and not report your symptoms to the doctor? Let’s strengthen the supply web with this concept or requirement. Organizations need to hire skilled professionals that assist with #compliance and support the need. Who wants to pay fines that could be avoided? #GRC #Compliance #Reporting #EnterpriseRiskManagement #SupplyWeb

📢 Breaking News in Cybersecurity! 🚨 The Securities and Exchange Commission (SEC) has taken decisive action against the Intercontinental Exchange, Inc. (ICE), imposing a hefty $10 million penalty. What led to this significant fine? Let’s dive into the details. 🔍 The Incident: In April 2021, a third party alerted ICE that it was potentially impacted by a system intrusion involving a previously unknown vulnerability in its virtual private network (VPN). ICE swiftly investigated and discovered that a threat actor had inserted malicious code into a VPN device used for remote access to its corporate network. 🚫 The Compliance Failure: Despite identifying the breach, ICE personnel failed to promptly notify legal and compliance officials at its wholly-owned subsidiaries, including the New York Stock Exchange. This delay violated ICE’s own internal cyber incident reporting procedures. As a result, these subsidiaries did not properly assess the intrusion, breaching their independent regulatory disclosure obligations under Regulation Systems Compliance and Integrity (Regulation SCI). 🌐 Regulation SCI: Regulation SCI aims to address IT vulnerabilities in the US securities markets. It mandates that entities like ICE must immediately inform the SEC of cyber intrusions into relevant systems unless they can reasonably estimate that the impact is minimal. In this case, ICE took four days to assess the impact and internally concluded it was a de minimis event. 🗣️ SEC’s Response: Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, emphasized the importance of timely reporting: “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts.” The SEC’s swift action ensures market protection and investor confidence. 🔒 Lessons Learned: Transparency Matters: Promptly report cyber incidents to regulatory bodies. Compliance Is Non-Negotiable: Even the largest stock exchange must adhere to strict reporting requirements. Vigilance Saves the Day: In the digital age, swift responses are essential. 👏 Let’s applaud the SEC’s vigilance in safeguarding our financial systems! Share your thoughts below. 💬 Read more about the SEC’s charges here. https://lnkd.in/eeaxZRbx #Cybersecurity #RegulationSCI #SEC #FinancialMarkets

The words “cybersecurity incident” are very provocative. On one hand they scare most people silly, on the other hand the word “incident” tends to be ill-defined, especially in various contexts. In the context of ITIL it is no big deal. When incident is paired with the word material, and you are a public company, it is a big deal and may require an 8-k filing with the SEC. Big difference. Making things even more confusing, different legal bodies (and companies) will define the term #cybersecurity #incident, differently (sometimes differently in different bills), but hopefully consistently across a governing organization. Let’s take this example: -         Any real or suspected event that has a negative impact on cyber security. -         The event must violate an existing security policy, either explicitly stated or implied Does this mean you need to report every virus that your EDR deletes off a desktop or laptop? The Record reported about the $10 Million penalty on Intercontinental Exchange (#ICE), the owner of the #NYSE among others. At the heart of the matter is the lack of reporting on an incident that happened just over 3 years ago, a bad actor installed malicious code on a VPN concentrator, and ICE didn’t report it to their subsidies for several days. This violates the Regulation Systems Compliance and Integrity (Regulation SCI) rule. ICE says that the attempt was unsuccessful and had no impact on market operations, the fine is for the tardy reporting. What are #CIO, #CISO, and #CEO to do with the reporting rules that are popping up everywhere? Reporting could have reputational and financial impacts to a company that are way out of proportion to the non-impacting activity. If we have to report all the little things don’t we also run the risk of numbing everyone to these announcements and having everyone ignore real issues (the sky is falling!)? Does it also mean (more) burn-out and teams doing nothing but regulatory filing? I don’t think we need narrow definitions – things are changing too quickly to allow for that anyway, but we do need rules with less nebulous definitions. The cybersecurity industry could help with that, we are the professionals and experts on the topic after all. The article from The Record is here: https://lnkd.in/eDzwE-ZD

🚨 Attention Financial Firms 🚨 The SEC has made it clear: having a robust plan for data breach incidents is no longer optional—it's mandatory. In today's digital world, cybersecurity threats lurk around every corner, and preparedness is key. Are you equipped to stay ahead of cyber attackers? Don't wait until it's too late. Team up with an MSP that prioritizes security above all else. Our "security first" approach ensures that your finances are protected with the most advanced cyber defense strategies. Ensure compliance and peace of mind by choosing a managed services provider that understands the stakes. Protect your clients, safeguard your reputation, and meet SEC requirements with confidence. Invest in cybersecurity and partner with us for a resilient future. Click here to book your FREE 15-minute discovery call today!! https://lnkd.in/ddTPNh64 https://lnkd.in/eXzmq8E9 #CyberSecurity #MSP #ManagedServices #Finances #SECCompliance

🚨 Attention Financial Firms 🚨 The SEC has made it clear: having a robust plan for data breach incidents is no longer optional—it's mandatory. In today's digital world, cybersecurity threats lurk around every corner, and preparedness is key. Are you equipped to stay ahead of cyber attackers? Don't wait until it's too late. Team up with an MSP that prioritizes security above all else. Our "security first" approach ensures that your finances are protected with the most advanced cyber defense strategies. Ensure compliance and peace of mind by choosing a managed services provider that understands the stakes. Protect your clients, safeguard your reputation, and meet SEC requirements with confidence. Invest in cybersecurity and partner with us for a resilient future. Click here to book your FREE 15-minute discovery call today!! https://lnkd.in/d4dEm7By https://lnkd.in/eCeqdShC #CyberSecurity #MSP #ManagedServices #Finances #SECCompliance

SEC slaps $10 million penalty on owner of NY Stock Exchange over 2021 cyber intrusion. Why it matters: 1. Intercontinental Exchange (ICE), the company that owns the New York Stock Exchange among others, will pay a $10 million penalty for failing to promptly report a 2021 cyber intrusion, a delay that contradicted federal rules and the firm's own protocols. 2. The penalty exposes a potential grey area in federal regulations: entities can delay reporting a cyber intrusion if they believe the impact is negligible, raising concerns about potential subjectivity in assessing cyber threats. 3. The case underscored the significance of established communication lines between entities and the SEC during cybersecurity incidents, reaffirming that failure to follow reporting timelines can warrant severe penalties – an indicator SEC is prioritizing transparency in cyber events to protect both investors and the stability of financial markets. Learn more by visiting The Record from Recorded Future News: https://lnkd.in/eiVsjEWN

The Securities and Exchange Commission today announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleges that from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year-long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time. via U.S. Securities and Exchange Commission #Technology #riskmanagement #risk https://lnkd.in/eyEkyZQF

The SEC' data breach disclosure is not merely a compliance checkbox; it's a transformative step towards aligning corporate resilience with investor confidence, acknowledging that safeguarding digital assets holds equivalent material importance to physical ones in our interconnected world. TechCrunch #SEC #databreach #regulatorycompliance #cybersecurity #informationsecurity #techcrunch

In an article for TechCrunch, Fusion's Senior Director of Cyber Security Safi Raza explains why publicly owned companies that are operating in the U.S. must comply with the Securities and Exchange Commission's (SEC) new data breach disclosure rules. "The SEC has the authority to enforce compliance and may act against organizations that fail to adhere to the regulations. Some potential consequences include financial penalties, legal liabilities, reputational damage, loss of investor confidence and regulatory scrutiny," he says. Read more: https://bit.ly/48GDsM5 #Compliance #BusinessContinuity #OperationalResilience #Regulations