Expert perspectives – The Cyber Initiatives Group (powered by The Cipher Brief) this week filed a national security-related comment in support of the SEC’s proposed rules on cybersecurity risk management, strategy, governance and disclosure of public companies. The official filing is below.
The commentators, led by the former National Security Agency’s General Counsel Glenn Gerstel, Included Kelly Beasley, Global Security Services Lead, Microsoft Corporation, HON. Sue Gordon, Former Deputy Director of the National Intelligence DepartmentMatt Hayden, Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience, General Michael Hayden (Retd.), Former director of the Central Intelligence Agency and the National Security Agency, HON S. Leslie Ireland, Former Assistant Secretary of the Treasury for Intelligence and AnalysisRichard H. Leggett, Jr., Former Deputy Director, National Security Agency, RADM Mark Montgomery (Retd.), Former Executive Director of the Cyberspace Solarium Commission and Deborah Plunkett, fFormer director of the National Security Agency’s information security department.
Join the CIG principal in our time Virtual Spring Summit on Wednesday 25 MayM And engaging with public and private sector leaders on issues ranging from potential cyber operations initiated by Russia to tackling ransomware explosions and protecting critical infrastructure for the operation of third party suppliers. The event is a free, on-the-record event. Save your seat now.
File number S7-09-22 – Comments on the proposed rules
The undersigned submitted these comments in support of the Commission’s proposed Cybersecurity Risk Management, Strategy, Governance, and Disclosure Rules for Public Companies (“Proposed Rules”) dated March 9, 2022.
The signatories are a committee formed and sponsored by CypherBrief, the principal of the Cyber Initiatives Group, a private media organization involved with the US private sector to raise awareness of cyber security and national security. Many of us now have direct involvement in cyber issues in the private sector and have significant experience in both cyber security policy and operational matters; Many of us have worked at the highest levels of our country’s armed forces or intelligence community, while others have played a leading role in the country’s most important cyber security agencies and technology providers. (We are writing in our individual capacity and the affiliations mentioned below are for identification purposes only.)
Our purpose in submitting these comments is to support the objectives of the proposed rules, to advise the Commission that in our opinion national security concerns are a valid and significant argument for making rules, and to underscore the potential benefits of the proposed rules. Only investors and registrants, and more importantly in our view, our national security. In doing so, we are not commenting on the scope of the proposed rules, the regulatory burden, or other technical aspects – as others may address those details more accurately. However, we are in a position to comment on the national security implications of a good cyber security stance for public companies.
With its proposed rules, the commission stated in its background statement, “[l]A large-scale cyber security attack could have a systemic impact on the economy as a whole, with significant impacts on critical infrastructure and national security. “
All signatories are familiar with the technological sophistication of our cyber adversaries and believe that it will continue to pose a greater risk to our nation. In that context, we notice that Annual threat assessment of the US intelligence community (February 7, 2022) Cyber-corruption has been cited as the top threat from four countries – China, Russia, Iran and North Korea. Unfortunately, as adversary threats increase, so do our weaknesses, as we increasingly rely on digital technology across all aspects of our commercial, public and private lives. The advent of the Internet of Things, and the huge amount of data created, stored, and used by 5G telecom technology, artificial intelligence, and potentially quantum computing (just to name a few developments) will create additional attractive targets for malicious data makers. Cyber activism thus increases the risk to our country’s infrastructure, business and citizens. Most of these technologies are owned and operated by public companies. These vulnerabilities can directly affect our national security.
We believe that the objectives of the current report requirement on component cybersecurity incidents, as well as (1) a registrar’s policies and procedures for identifying and managing cyber security risks, (2) the role of management in implementing cybersecurity policies and procedures, and (3) periodic releases. The Board of Directors’ cybersecurity expertise and cyber security risk monitoring is appropriate and registrars are likely to enhance their cyber security stance. Public companies own critical infrastructure, run or operate core businesses in every industry, agriculture and services sector and in many cases form the backbone of the American economy. As a result, improved cybersecurity among public companies directly translates into a national economy that is more cyber-secure and cyber-resilient. It is argued that the need for additional reporting on material cyber incidents would better inform investors, the public and government agencies in general, and increased disclosure of cyber policy and board experience would encourage public companies (and in expansion, private companies, at least to some extent) if marketed in that area. To meet but not exceed expectations.
By their innate nature, these advantages cannot be easily measured, but the lack of precise measurement in this case is clearly obvious and logical which cannot be a reason to deny. We believe that these benefits are important to our national welfare and should be and should be considered by the Commission in policy development and regulation.
We understand that interested parties will have differing views on the scope of the proposed rules and other technical aspects and, as noted above, are not commenting on these issues here. But we would like to point out that any attempt to standardize and align the notification and disclosure with other requirements (such as the Cyber Incident Reporting for Critical Infrastructure Act 2022) will obviously have the effect of increasing strong compliance with it. , And more objective, proposed rules.
Sign up for the Cyber Initiatives Group newsletter. Good results are needed for good results in cyber. Join the experts in the new public-private cyber ecosystem as we educate and create a new cyber future. Sign up for the CIG newsletter today.
Read more expert-driven national security insights, perspectives and analyzes at The Cipher Brief because national security is everyone’s business.