A Train Hack, $80M Pig Butchering Scheme, and Greg Van Houten of Haynes Boone on the SEC's New Cybersecurity Disclosure Rules
Dec 21, 2023
auto_awesome
This week on the podcast, we interview Greg Van Houten, a seasoned civil litigator who focuses on insurance recovery. We discuss the SEC's new cybersecurity disclosure rules, a massive unreported hack, a train hack, indictments in an $80M pig butchering scheme, and a MongoDB security breach.
The SEC has implemented new cybersecurity disclosure rules requiring companies to disclose their cybersecurity strategy and material cyber incidents.
Companies should review their cyber insurance policies to align with their 10K disclosures and involve their insurers in the disclosure process.
Boards of directors should elevate cyber strategy, risk management, and governance to the board level and consider adding a cyber-focused dashboard to their structure to mitigate potential shareholder litigation.
Deep dives
The Flipper Zero: A Versatile Physical Hacking Tool
The Flipper Zero is a physical tool that can automate various hacking actions, such as launching Wi-Fi deauth attacks or opening garage doors. It can be useful for learning about hacking with physical tools and automating certain attacks. However, it's important to note that the Flipper Zero is not a magic solution and still requires learning and configuring custom firmware to use effectively. It can be a fun tool to explore and experiment with, but it doesn't make you a hacker on its own.
Using a VPN on a Home Network and Home Network Security
Using a VPN on a home network can help mask your internet traffic from your ISP and protect your privacy. However, keep in mind that you are now trusting your VPN provider with your data, so choose a reputable and secure VPN service. Additionally, while a VPN can hide your traffic from your ISP, it doesn't guarantee complete anonymity or protection against all threats. It's always important to practice good security hygiene and consider other security measures to secure your home network, such as using strong passwords, keeping your software up to date, and using a firewall.
Understanding the Risks of Virtual Machines
Virtual machines can be useful for segmenting execution and creating separate computing environments. However, using a virtual machine does expand your attack surface, as it introduces another layer of complexity and potential vulnerabilities. It's essential to ensure that your virtual machine is properly configured and isolated from your host system and that you keep the virtual machine and the host system up to date with security patches. Keep in mind that compromising the host system could potentially compromise the virtual machine as well. If you're working with highly sensitive data or tasks, consider using dedicated hardware that is separate from your regular devices to further enhance security.
Cybersecurity Disclosure Rules
The SEC has implemented new cybersecurity disclosure rules for companies, requiring them to disclose their cybersecurity strategy, risk management, and governance practices on their annual 10K forms. Public companies must also disclose material cyber incidents within four business days. To comply with the four-day reporting requirement, companies are encouraged to conduct tabletop exercises, simulate cyber crises, and practice real-time responses to be prepared for potential incidents. Boards of directors are advised to elevate cyber strategy, risk management, and governance to the board level and consider adding a cyber-focused dashboard to their structure. Corporate officers and board members should also be aware of potential shareholder litigation following disclosure of material incidents and align their cybersecurity policies with their actual practices to mitigate this risk.
Insurance Considerations for Cyber Risks
Companies are urged to carefully review their cyber insurance policies and ensure that their application aligns with their 10K disclosures to avoid coverage disputes. Cyber insurers may review publicly available cybersecurity risk management and governance practices when evaluating claims. Additionally, companies should bring their cyber insurers into the loop regarding disclosures to comply with consent requirements in their liability policies. Insurance carriers are advised to evaluate their approach to cyber coverage in light of the new SEC rules. While concerns about increased claims activity are raised, the rules can enhance market stability by improving awareness of cyber risk at the executive level. Insurance carriers may also need to reassess exclusions, like war exclusions, and collaborate with policyholders to optimize coverage.
This week on Hacker And The Fed we interview Greg Van Houten of Haynes Boone and policyholderplaybook.com, a seasoned civil litigator who focuses on insurance recovery. We talk to Greg about the SEC's new cybersecurity disclosure rules, which went into effect this month. We also discuss a massive hack that went unreported, a train hack due to a vendor’s geofencing feature, indictments in an 80-million-dollar pig butchering scheme, and a MongoDB security breach.
SEC’s cyber disclosure rules: Key considerations for the board, C-suite and risk managers. Authored by Greg Van Houten (Haynes Boone), David Franzel (NAXO), and Chris Tarbell (NAXO)
