Is the new SEC Cybersecurity rule (CRMSGID) a regulatory hammer or is it one of the best tools for changing cyber security risk management in ways that truly matter? The projected worldwide losses in cybercrime are projected to be $10.5T in 2025 by Cybercrime Magazine. This session is a case study from the AT&T Wireless software failure that lead to hundreds of millions in losses and the lessons learned from SOX 2002 that will help cyber pros and the C-suite embrace the CRMSGID rule in a way that will transform business operations and dramatically improve the root cause of ransomware.

Learning Objectives:

• Understand the top two requirements of the new SEC rule: 10-K readiness and 8-K incident disclosure readiness. I break down the SEC ruling into process based approaches and explain how the Solar Winds litigation puts a fine point on 10-K reporting
• Understand why the word "reasonable" as it is used in security policies everywhere can be problematic and how to address the exposure that creates with a "reasonable risk" assessment and gap analysis. Understand why reasonable risk is necessary for reducing liabilityand why it is critical to "show your work"
• Understand the approach of "outcome based security" for ensuring that what is written in the 10-K and policy statements is what is actually done in the environment, and how this helps minimize the overhead of security audits