SEC Update. Public companies must report cyberattacks within four days, unless it is a substantial risk to national security or public safety. To go live in December. 🤔 ⏳ www.bloomberg.com/news/arti…

BK Ryer

“…or to public safety, or to the chances of C level execs to get that boat this quarter.”

Munish

@bkryer 🤔🙄

BK Ryer

I believe reporting in the public interest by private companies on cyber issues is severely compromised by commercial pressures, professional status sensitivity, and good old-fashioned denial.

Munish

@bkryer 🤔 doing the right thing is trying to be morally correct for society. It is good that at regional meet-ups, this is the drive forward.

BK Ryer

No doubt. My point is rather cynical.

Reporting of incidents in a 96 hour window sounds fast to outsiders but is laughable inadequate from an oversight perspective, no matter what front line evaluations claim.

Voluntary means, as long as it doesnt make you look bad, or make your company lose any money or status, then you can report it. This is why we only hear about incidents which are too substantial to hide.

Software is our most vulnerable border.

Munish

@bkryer I know what you are saying. However, you also need to look at the perspective if it is not software related and ransomware or reliant on another party. It will get messy for sure.

Munish @Munish