When it comes to the new SEC ‘materiality’ rules, assume that OT and IoT breaches qualify>
SC Magazine – Edgard Capdevielle
New SEC rules require public companies to disclose cybersecurity risks, strategies, and material security incidents within 4 days.
This has major implications for organizations managing operational technology (OT) and internet-of-things (IoT) systems.
Most companies lack readiness to quickly identify and assess the impact of breaches to these systems, which control critical infrastructure like manufacturing plants and electric grids.
Threats to OT/IoT are growing sharply.
Leadership, including CFOs and boards, must pay attention and be prepared to respond.
Determining if an incident is “material” to investors is challenging but critical.
The rules intend more transparency into cyber strategies, similar to the Sarbanes-Oxley Act’s impact on financial governance.
The recent SolarWinds lawsuit shows the SEC is serious about enforcement.
To comply, companies must contain incidents, gauge materiality, disclose within 4 days if so, and describe cyber risk management in financial reports.
But easy fixes are few, and OT/IoT capabilities often lag IT systems.
Leaders must ensure awareness of all systems whose disruption could cause material impact.
Governance, response plans, and alignment between IT, OT, business, finance, and legal teams is key to readiness.
Link: https://www.scmagazine.com/perspective/focus-in-on-ot-and-iot-as-the-new-sec-materiality-rules-kick-in