Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Aaron Pritz (00:05):
Thanks for tuning in to simply solving cyber.
I'm Aaron Pritz
Cody Rivers (00:08):
And I'm Cody Rivers.
Aaron Pritz (00:10):
And today we're here with Abhishek Bharti.
He's a former managing directorin a big four consulting
practice focused on privacy,information, security and risk
management.
And, without further ado, I'dlike to introduce Abhi and,
maybe start with a little bit ofbackground.
Abhi, tell us about yourself,your journey into cyber and what
you're passionate about in thisfield.
Abhishek Bharti (00:32):
Thanks, Aaron.
And thanks, Cody, for thatintro.
Hello, everyone.
My background, has been, asAaron mentioned, entirely in the
information security space.
20 years of experience in thisfield and, my passion in this
area began after I finished mymaster's, uh, from by way of
background.
I did my education and schoolingall in India and once I finished
(00:54):
my master's, my first exposurein the world of cyber security
came by way of my first job,which was for, India's largest
internet service provider atthat time.
And also, um, you know, acollaboration with a company
based in the US, which dealtwith digital certificates.
And that brought me to the fieldof cryptography and encryption
(01:15):
and digital signatures.
And that was really myintroduction in this field.
And ever since My passion andinterest grew in this area and I
never left.
Post that, experience, I had achance to work for one of the
big four organizations in India,worked for them for, around four
and a half years.
And by working with them, I gotan opportunity to have a global
(01:37):
exposure to a lot of globalclients as well as experience
working in a lot of globallocations.
And then 14 years later, I cameto the U S and had an experience
here working with multiplefinancial institutions, by
working for that big four.
And as part of my experience, myfocus area was on cyber security
(01:59):
strategy, risk and compliance.
And in this field, as we allknow, over the last few years,
we've seen lots of regulationschange in the cyber security and
privacy space, both in the U.
S.
as well as globally.
So I've been actively involvedin that area for a lot of time,
in the past.
Aaron Pritz (02:17):
Awesome.
So what would you say has beenthe biggest challenge that
you've seen?
You've been in consulting for along time.
What are some of the biggestchallenges that you've seen
clients struggle with?
And where have you felt like inyour you've given some of the
most impactful advice processessolutions?
Abhishek Bharti (02:39):
Yeah, great question.
I think in this area we've seena lot of clients and people who
are working in this area befamiliar with a lot of
standards, as well as frameworksand regulations.
But the challenge I would say inmy experience comes on the
aspect of applying that to yourorganization because I know it's
(03:03):
a consulting cliche statement onone size fits all does not one
size does not fit all so butwhat that really transpires and
means in the context of yourorganization is to understand
how you want to tailor yourcapabilities within the cyber
security program to the relevantrisk Uh, and understand the
(03:24):
implications of what thoseregulations mean.
And the final part of thatchallenge would also be that as
and when new regulations comeup, I've seen, you know,
organizations less mature,medium maturity to high
maturity.
Almost all of them struggle withthe aspect that.
Something new has come up andthey want to start from scratch
(03:47):
with respect to that compliance.
So the program needs to be builtin such a way where, you are
doing the basics right.
And believe it or not, even inthis day and age, while we talk
about artificial intelligence,blockchain, and all those
emerging technologies, Thenumber one reason for a cyber
security incident to affect anyorganization still remains the
(04:07):
basic block and tackle Aspectsthat get missed example being
you know, vulnerability orpatches not being applied on
time So yes, there are moresophisticated attacks But there
continues to be a sufficientnumber of missing elements on
basically doing the basicsright.
Aaron Pritz (04:26):
Yeah, I've totally seen that.
I feel like sometimes cyberteams or new leaders want to
jump to build the third story ofthe house.
And maybe the loft with the gameroom and the arcade before
laying the foundation to thehouse or maybe digging a
basement, uh, may not always bethe fun stuff like thousands or
millions of vulnerabilities isdaunting, but you are right,
(04:48):
like that is, most of the timeit's like vulnerability
exploited through a human errorthat linked to unpatched
vulnerabilities on core servers.
So I think back to the basics isalways one of the first things
that we make sure to call out.
And, you know, if those are gapsand in any kind of program,
Cody Rivers (05:06):
Yeah, Aaron, big commentary and hobby to a lot of
our listeners are, folks who arenew to cyber, they're growing in
their cyber careers or theirmature, you know, seasoned,
cyber executives.
But what's some kind of advice,with new regulation coming out,
as people are being tasked to domore with less, what's some kind
of general advice you would sayfor new consultants or new
(05:27):
practitioners who are gettinginto the arena?
Abhishek Bharti (05:30):
Great question.
I think my advice would be,continue to be a learner,
continue to be inquisitive,continue to keep up with the
learning.
If you can't rest on pastlaurels, if you want to succeed
in this industry and do well foryou yourself in your career and
as well as for the organizationsthat you work with, because
again, it may sound cliche, but.
(05:51):
Cyber security is so complex andchanging so fast, probably
fastest than any other field orin any other industry in this
world that you have to keep pacewith what is happening, and it
does not necessarily mean thatyou need to know all cutting
edge stuff.
So, for example, you know, thelatest buzzwords around quantum
and the cryptography world andthe crypto world.
(06:12):
Yes, it's good to know you needto increase your awareness, but
you don't all necessarily needto be become suddenly become
experts in quantum right of asof now, because the whole
industry will take a whilebefore we get there.
But having said that, if Icompare, let's say the quantum
computing buzzword with, let'ssay, the cloud technology.
Cloud has already, in myopinion, reached that tipping
(06:35):
point where it is applicable tomost organizations.
So if you are starting new inyour career and you are not
aware of how the cloudinfrastructure operates and you
are still thinking traditionaldata center infrastructure, then
you are falling behind the curveand are not going to be as
competitive in your career withrespect to, moving up in the
industry and getting the rightjobs.
Aaron Pritz (06:58):
How do you stay up to date?
How do you learn?
I've been just to share my own22nd version.
I every morning I have a newsaggregator.
Mine specifically is feedly, butI've got specific keywords and
it serves up, 10 to 20 newsarticles and I probably filter
it down to three or four thatI'll read, but that's one thing
that's been helpful for myself.
(07:19):
Consulting gives you anothervector.
But what are some of the bestways or tips for those listeners
that you stay abreast of thelatest?
Abhishek Bharti (07:26):
A couple of things.
I think, news aggregator iscertainly one of them.
I think it's a great, tool toGet the right message at least
quickly and be aware of what'shappening, in the industry
currently.
Another thing is you can't boilthe ocean, right?
And there is volumes ofinformation that you can't spend
all your day reading every day.
(07:48):
So you need to, beyond a certainpoint in your career, decide,
Hey, Which areas do you want tofocus on?
And try to then, invest timespecifically in that area.
So the days of being too much ofa generalist are gone.
So you need to carve thatspecialization for yourself.
So whether it is, strategy,whether it is regulatory stuff,
(08:10):
whether it is identity accessmanagement, you need to pick
certain areas you are keepingyourself updated on those
fields.
News aggregation sites arecertainly important.
Others I would suggest would beone, keeping up with some
certifications in relevant toyour sector and your industry
(08:32):
and you to study those areas alot more, right?
So you can be, challengingyourself and making it a little
bit more disciplined approach tocover those areas.
And the second would be I knowwe all talk about networking
sites and, collaborating withother folks in the industry.
Making sure you follow peoplewho are leaders in that space.
(08:53):
So that when they are sharingany article on some of these
networking sites, you are ableto, pay special attention or
take out time to read thosearticles because obviously they
will be sharing somethingrelevant, which will be useful.
Cody Rivers (09:05):
Yeah, excellent.
Excellent.
And well, speaking of knowledgeand learning new things, one
thing that we get a lot ofquestions about.
You have frameworks change andguidance changes.
But one thing I want to talkabout today is the SEC cyber
rule.
That kind of came out and we hada large influx of how does it
impact me?
Is it now?
Is it retro?
Is a current?
(09:25):
When does it take effect?
How do I define material?
So would love to kind of getyour summarization, your
thoughts on what leaders need tobe aware of and what they need
to be doing
Abhishek Bharti (09:35):
pretty great question and a great topic, I
would say, which is quiterelevant for a lot of companies
these days.
But, specifically to talk aboutthe SEC cyber rules.
So the rule that has recentlybeen finalized by the SEC is
around cyber securitydisclosures, and this is
relevant for all public listedcompanies.
So it does not matter whatindustry you are in as long as
(09:59):
you are publicly listed, whichmeans SEC is going to be your
regulator.
You are subject to these newrules on SEC cyber disclosures.
The rules themselves are quiteelaborate, but I'll try to
summarize it for our listenershere.
There are basically three partsto the rule, but before I go to
the three parts, I want to spenda little bit of time explaining
(10:21):
why this new rule was needed andwhy was it initiated.
So in 2011 and then subsequentlyin 2018, the SEC did give out
guidance around, being carefulwith cyber security risks for
organizations and especiallypublic listed organizations
because obviously investors arerelying on those companies to do
(10:42):
well and are putting in theirmoney by way of investing in
those stocks.
However, the SEC noticed that inspite of that guidance to, have
a lot of oversight, governanceand risk management around this
particular cyber security risk,which was obviously in the last
decade, becoming I would say atop five risk if you look at
enterprise risks for anyorganization in this day and
(11:03):
age, we are all reliant on I.
T.
Systems and with I.
T.
Systems and technology obviouslycomes cybersecurity risk.
But coming back to why the rulewas needed.
So the SEC noticed that post2018 when the guidance came out
specifically around cyberdisclosures and being
transparent with those risks.
Even then, the public listedcompanies were not being very
(11:25):
forthcoming with respect toreporting those risks.
Although, news and mediacoverage did talk about cyber
security incidents happening atthose organizations, but they
were not being formally reportedon a timely manner.
So the SEC felt that to givethem enough teeth to go after
organizations for noncompliance, One reason was to
(11:45):
make it a rule so that they nowhave explicit authority to go
after organizations that do notdo it.
But the intent is not for theSEC to, penalize organizations.
The intent is, transparency forthe investors.
So before, investor invest in astock of a public listed
company, they need to be fullyaware of all the risks.
(12:06):
associated with thatorganization, including cyber
security risks.
I know enterprise risks arebeing talked about, leaving
aside cyber, but the SEC feltcyber was important enough to be
explicitly called out.
As a result, they came up withthis guidance in 2018, like I
mentioned, but now they havemade it a rule.
Now let's come to what are,like, three broad expectations
(12:26):
of these rules.
The three broad expectations ofthese rules are That any
organization that is subject tothis rule has to demonstrate
oversight of risk managementoversight on cyber risk
management.
I should specify not justenterprise risk management
because enterprise riskmanagement has been around for a
while, but specificallydemonstrating cyber risk
(12:48):
management capabilities andoversight.
And by that, what I mean is notjust conducting a cyber risk
assessment, but also, regular,reporting at a decent cadence to
the board, to the auditcommittee on what those cyber
security risks look like for theorganization and how is the
organization geared up andprepared to deal with the cyber
security risks.
(13:08):
So that's number one broad areathat the SEC expects
organizations to manage.
And also disclose as part oftheir filing to the SEC.
So that's the first part of theexpectation
Aaron Pritz (13:20):
Before we move on to the second.
How much?
I think this is a big questionbeing discussed.
How much needs to be disclosed?
Is it?
A couple bullets.
Is it full transparency of allthe job aids and details?
Probably not.
But the answer is alwayssomewhere in the middle.
(13:41):
Where do we think that middle isshaping up to be?
Abhishek Bharti (13:44):
Yes, spot on, Aaron.
And the answer is definitely inthe middle.
I would say, uh, maybe less thanthe middle.
And the reason I say that isthis is obviously going to be
sensitive information andanything disclosed to the SEC
becomes public information.
So Yeah.
With respect to risk managementcapabilities and what the
organization is doing, what sortof cyber risks are they facing?
(14:06):
I think, to err on the side ofcaution, organizations will
disclose that they are, payingattention to it, how they are
paying attention to it, but maynot disclose too much granular
details around thosecapabilities as well as risks
faced by that particularorganization because once that
information becomes public, youare indirectly putting a target
on your back by disclosing toomuch.
(14:28):
So very important that,individuals or committees being
responsible for interaction withthe SEC in terms of reporting
requirements, do a collaborativesession with, people from other
departments and by otherdepartments.
I mean, like I expectorganizations to form
committees.
That will have representationfrom financial reporting from
(14:50):
offers finance.
From cyber security, fromcompliance as well as legal.
All these departments need tocome together to come to a
consensus as to what needs to bereported and how it needs to be
reported because you don't wantto give away too much to have a
further target on your back.
Cody Rivers (15:06):
Yeah
Aaron Pritz (15:06):
I suspect like having a playbook or some sort
of pre aligned plan is going tobe advantageous versus winging
it in mid December.
Is that a fair assumption?
Abhishek Bharti (15:17):
Definitely.
In fact, that is one of ourcommon recommendations.
We advise our clients to preparefor the situation.
God forbid they should not getaffected by a cyber security
incident that forces them toreport to the SEC.
But.
Being prepared is always better.
And I know that organizationscannot think of all the
possibilities of a potentialcyber security incident, but at
(15:39):
least the common ones that theyhave seen other organizations
suffer in the past or their ownorganizations suffer in the
past, they need to be preparedwith determining how and when
they will, determine whether itis reportable or not.
And then what extent would theyreport that to, the SEC,
including determining some Atleast initial draft language.
Aaron Pritz (15:59):
And that's on reporting, but even the risk
management and governance,that's not something you need to
wait on.
Like figuring out what you'vealready done and what level of
granularity that you're going togo to, report your program level
information or how youcommunicate with the board.
That's something that's even youcan even prepare more near.
Cody Rivers (16:19):
Well, and I thought about to Aaron.
So your point about that is Ilook at my definition, and I'd
be love to hear your thoughtshere.
You've got another contractlanguages and stuff that you see
a lot of, like data sharingagreement, you'll see incident
versus event and what definesthat, but you have a thing
reporting material breaches.
Material.
So I think, Aaron, your point,helping companies define what is
(16:41):
material for the company so theyknow when to report what not to
report.
But I think it might be a goodquestion.
So I'd love to hear yourthoughts on how you define
material.
And I know you're not lawyers,so this is not lawyer advice,
but it would love to hear yourthoughts on how companies figure
out to define what's materialand what's not material.
So in effect, what they do anddo that report.
Abhishek Bharti (16:59):
Excellent question.
So actually that ties verynicely with the second grouping
of what the SEC's expectationsfor.
So I'll tie your response tothat part.
So the second part ofexpectations of the SEC as we
all started touching on thattopic is reporting on incidents.
So any and every incident thathappens in your organization
obviously need not be reportedbecause one, it will overwhelm
(17:21):
the SEC and also overwhelm theorganization itself in terms of
preparing for those incidents.
So the expectation of the SECis, uh, they've used that term
as Cody mentioned, materialincidents need to be reported.
And materiality is a word quiteoften used in the context of
this.
regulation and it has beenaround in this space for quite a
while, but I want to distinguishin terms of what the expectation
(17:45):
of materiality is becauseclearly the SEC has not given a
formula or exact sort ofdefinition of how materiality
would apply in the context ofcyber security incident, but
based on my experience ofworking with many clients in the
space and helping and assistingthem in determining what it
should be, I'll share some of myinsights.
So the first part, as I wasalluding to the word materiality
(18:07):
has been around for a while.
In the financial audit worldthere is a dollar value
threshold that is typicallydefined, which sort of also ties
with the enterprise riskmanagement aspect of it on what
is an acceptable level of lossthat the organization can
sustain without affecting itscapabilities in the long term,
right?
So a dollar value threshold isdefined.
(18:29):
So in the financial audit worldside, if any transaction
mismatches that particulardollar value threshold, if it is
below the threshold, it can beignored for, easier terms to
understand.
But if it is beyond thatthreshold, then it needs to be
investigated and reported to theSEC and some investigation needs
(18:49):
to be done.
So the concept is similar herewhere any significant cyber
security incident needs to bereported.
Now, how do we define thatsignificant is really up to the
organization to determine.
And there is no easy answer forthis as you were alluding to
Cody.
So the challenge becomes, one,you can apply multiple inputs to
(19:10):
come to that determination.
The most important aspect arounddetermining this is whatever
criteria you come up with needsto be documented.
So the SEC, the first thing willthe SEC will come to review when
they examine you if you'rechosen for an examination is
whether this criteria was wellestablished, documented and
(19:30):
accepted by the seniormanagement and the board, right?
So coming up with a definedcriteria.
So as Aaron was saying, can wedo it on the fly?
No, you can't do it on the fly.
You can do it on the fly.
God forbid if you get selectedfor an examination, you will
fail and it's totallyimpossible.
You will incur the, wrath of theSEC in terms of monetary
(19:50):
penalties.
So coming back to what theseinputs could be, so one could
be, you know, your risk appetitebased on your well established
or already pre establishedenterprise.
risk management rules that yourorganization may already follow,
like what is your appetite for aregulatory penalty?
What is your, appetite for beingsubject to, regulatory
(20:12):
noncompliance?
Example could be, let's say youare a healthcare organization.
So HIPAA laws apply, right?
So at what point do you say if100 records worth of HIPAA
related sensitive PIIinformation was lost.
Is that going to be consideredsignificant enough?
Or is it going to be a thousandrecords?
Or is it going to be much morecritical and only ten records?
(20:33):
Or less than ten records?
So, that determination has to bemade internally by your privacy
team, by your legal team, byyour compliance team as only one
of the inputs.
The other possible inputs and Ican't obviously go through all
possibilities because it againneeds to be tailored assessed
for each organization Againcoming back to my original
(20:53):
comment on there's no one sizefits all philosophy here So it
really needs to be articulateddetermined and tailored for
every organization.
But just to give you anotherexample It would be Are you able
to quantify your cyber securityincident in some manners?
And if you are able to quantifyit, then based on your
enterprise risk level threshold,then you can say this particular
(21:15):
in cyber incident that happenedcost me, you know, 1 million and
my threshold for risk appetitewas 900, 000.
So it has exceeded thatthreshold.
Therefore, I need to reportthis, right?
So that is again one of thepossibilities organizations can
consider as they are thinking ofhow to make that determination
(21:36):
of what is going to bereportable and not reportable.
And then the last thing I'll sayis, on the requirement for four
business days, the rulecurrently says you need to
report any significant ormaterial event within four
business days.
Does your organization currentlyhave the capabilities once it
knows about the incident to makethat determination within four
(21:58):
business days and be ready toreport within four business
days.
So those are some things fororganizations to consider as we,
look at compliance with respectto this rule.
Aaron Pritz (22:08):
Yep.
So if an organization has toreport it once they've deemed it
material.
And if material, I think I'vegot a reference here, means that
there's a substantial likelihoodthat a reasonable shareholder
would consider it important toan investment decision, how long
can an organization reasonablytake to determine materiality?
(22:29):
Because I've seen some languageon there determination must be
made without unreasonable delay,but that's qualified.
So could I get away with a yearof determining materiality?
This rhetorical, uh, and then belike, Oh yes, it was, here's a
year later.
That's not going to solveanything.
What is your read on that?
Abhishek Bharti (22:46):
Yeah, that's a great question.
And again, that's the gray areathat the SEC has left and people
consider it as both good newsand bad news.
Bad news because they have notprovided the clarity, but good
news because it givesorganizations that flexibility
to come up with thatdetermination.
So I think similar to ourearlier conversation, the answer
lies based on what is determinedto be by the organization
(23:12):
itself, right?
So tomorrow, let's say the SEC,you determine as you were giving
the example, Aaron, and I willsay I'll take one year to
determine whether it is materialor not.
So the SEC will not penalize youfor Determining that, you will
take one year, but as part ofyour risk management processes,
when you do end up reporting,all the investors would know
(23:34):
that this organization, whichclaims to be mature enough is
taking one year to determinewhether it is material or not.
So some of the onus ondetermining what is a reasonable
time period automatically fallson the organization in itself.
So clearly, while the SEC givesyou that flexibility, you cannot
have all the time in the worldto make that determination.
(23:55):
And there is additionalcomplexity where even historical
events in aggregate, if they arein future considered to be
material you are expected toreport to the SEC on that aspect
as well.
So organizations that may havedetermined something to be
immaterial in the past year facesimilar incidents in the coming
year.
Then you are required to thencreate that analysis to
(24:17):
determine all these incidentsseem to be related.
And therefore, in aggregate,they become material.
So those are some of thechallenges that organizations
need to consider as they preparetheir capabilities to meet these
objectives.
Cody Rivers (24:30):
Yeah.
And so I have a two partquestion coming up.
So one, when does this go intoeffect?
You know, from a hard date?
And I think my follow onquestion would be, is there a
statute of limits to it?
So is it after said time, youcan't go back, to a certain
point in time.
Not that I'm playing devil'sadvocate here, but if someone
were to miss the four day windowIs there a time they want to
(24:51):
wait and keep it quiet when,hey, we're outside a window set
your limits to report thisconcern?
Abhishek Bharti (24:56):
Well, I would say it based on what has been
determined or documentedinternally as the process for
the organization.
So like I was saying, you cancreate a policy that says we
will take no more than two weeksto determine or we will take no
more than one month to determinewhether it is material or not.
So the deadline of four dayscannot be missed.
(25:18):
I would say so at a minimum youcan choose to inform the SEC
that yes, we feel that it ispotentially a significant event,
but we are still investigatingor continuing to investigate,
but your obligation to reportonce you have made that internal
policy determination that thisis your internal deadline to
come up with a decision of go,no go needs to be honored.
(25:40):
So to speak, you can't miss thatfour day deadline.
You have to inform the SEC.
Otherwise, you can miss it.
Obviously, nobody is going toforce you to recommend.
But then you are inviting theSEC to come and penalize you.
Aaron Pritz (25:53):
Yeah, no, great points.
I'll be as we're coming to aclose here for those that are
interested in learning more.
We actually co authored TimSewell, Abhi and myself.
Co authored a white paper.
We kept it brief and short.
I think it's three pages.
But it gives some more context,to the specific language that
(26:13):
Abhi was talking about.
And it also provides sometactics of how to get ready and
work through some of thechallenges, especially on the
governance and risk managementreporting.
And I think one misnomer, likeyou got to report that stuff as
part of a separate part of thiswhole, cyber SEC cyber rule,
you've got to report thatannually, whether you have an
incident or not.
(26:34):
So there's no waiting arounduntil you have an incident.
You got to start working on whatyou're going to say, literally
after December.
What is it?
Abhi 15th.
Abhishek Bharti (26:43):
Yes, December 15th is the deadline.
And actually are in that kind oftouches to that third pillar
that I had mentioned three partsof the SEC rule.
The third part is theadministrative requirements of
reporting using certainformalities of forms that the
SEC has already pre established.
So, with respect to informingthe SEC about, potential sort of
material cybersecurity incident,there's a Form 8K, and I'll not
(27:05):
go into details of what the 8Kis.
People can Google it and see it.
And then on a quarterly basis,there is another mandatory
reporting requirement by theSEC, which is called the Form
10Q, Q standing for quarterly.
And then on an annual basis, thesame Form 10Q becomes.
or is called 10K, K as in forthe annual reporting
(27:26):
requirements.
So while the incident may notwait for your 10Q or a 10, you
know, the timing cannot syncnecessarily with the filing with
the SEC on the 10Q or the 10K.
That is why the SEC has an outof turn reporting mechanism of
8K to meet those four businessday requirements to use that
form for reporting.
(27:46):
But on an annual basis, this iswhat you were alluding to, you,
whether or not an organizationgets faced with a cybersecurity
incident, they still need todisclose their cybersecurity
risk management, governance,reporting aspects.
to the SEC by way of this annualfiling in the 10K.
And that is very important.
And the last thing I'll add toall of these, which often gets
(28:08):
missed by organizationsconsidering, compliance
requirements and capabilities,is this cyber requirements,
while it has been called out asa cyber disclosure rule and as a
new rule, The SEC, based on the2018 guidance itself, has rights
to come and, you know,investigate and penalize
organizations that need not waittill December 15th deadline.
But the missing part that oftengets overlooked is when this
(28:32):
incident, let's say, is faced,such an incident is being faced
by the organization, they needto ensure that other compliance,
associated compliancerequirements are also being met.
And controls put in, to addressthose requirements.
And by those others, I'llspecifically give one example,
which is on insider trading.
So, because a cybersecurityincident which is being
(28:52):
potentially considered assignificant or material for
reporting to the SEC issensitive information, the
organization needs to haveenough controls to ensure that
this information is being sharedon a need to know basis.
And that no insider trading ishappening, as a result of this.
So the compliance department,the IT department needs to
monitor the employees.
To ensure that none of thathappens by exploiting this
(29:15):
information beforehand.
Aaron Pritz (29:17):
Perhaps that's because there's been arrests and
indictments on such behaviorsafter a cyber incident.
There's always a reason to thesenew rules, right?
Abhishek Bharti (29:25):
Absolutely.
Absolutely.
You're spot on.
Aaron Pritz (29:28):
Awesome.
Well, Abhi, thanks for coming onthe show today.
Really appreciate the deep ormoderate dive that we did here.
And like I said, for those thatwant to learn more, we'll put a
link to the white paper.
In the show notes as well as onthe social media posts so that
you can go check it out and,follow up with us if you guys
have any questions.
Cody Rivers (29:46):
Yeah.
Abhi.
Thanks again, sir.
It was a pleasure chatting withyou and I'm sure our listeners
got some great knowledge andsome great tips here for all the
upcoming, rules and everything.
Abhishek Bharti (29:53):
Sounds good.
Thanks everyone.
Thanks for tuning in to simply solving cyber.
I'm Aaron Pritz
Cody Rivers (00:08):
And I'm Cody Rivers.
Aaron Pritz (00:10):
And today we're here with Abhishek Bharti.
He's a former managing directorin a big four consulting
practice focused on privacy,information, security and risk
management.
And, without further ado, I'dlike to introduce Abhi and,
maybe start with a little bit ofbackground.
Abhi, tell us about yourself,your journey into cyber and what
you're passionate about in thisfield.
Abhishek Bharti (00:32):
Thanks, Aaron.
And thanks, Cody, for thatintro.
Hello, everyone.
My background, has been, asAaron mentioned, entirely in the
information security space.
20 years of experience in thisfield and, my passion in this
area began after I finished mymaster's, uh, from by way of
background.
I did my education and schoolingall in India and once I finished
(00:54):
my master's, my first exposurein the world of cyber security
came by way of my first job,which was for, India's largest
internet service provider atthat time.
And also, um, you know, acollaboration with a company
based in the US, which dealtwith digital certificates.
And that brought me to the fieldof cryptography and encryption
(01:15):
and digital signatures.
And that was really myintroduction in this field.
And ever since My passion andinterest grew in this area and I
never left.
Post that, experience, I had achance to work for one of the
big four organizations in India,worked for them for, around four
and a half years.
And by working with them, I gotan opportunity to have a global
(01:37):
exposure to a lot of globalclients as well as experience
working in a lot of globallocations.
And then 14 years later, I cameto the U S and had an experience
here working with multiplefinancial institutions, by
working for that big four.
And as part of my experience, myfocus area was on cyber security
(01:59):
strategy, risk and compliance.
And in this field, as we allknow, over the last few years,
we've seen lots of regulationschange in the cyber security and
privacy space, both in the U.
S.
as well as globally.
So I've been actively involvedin that area for a lot of time,
in the past.
Aaron Pritz (02:17):
Awesome.
So what would you say has beenthe biggest challenge that
you've seen?
You've been in consulting for along time.
What are some of the biggestchallenges that you've seen
clients struggle with?
And where have you felt like inyour you've given some of the
most impactful advice processessolutions?
Abhishek Bharti (02:39):
Yeah, great question.
I think in this area we've seena lot of clients and people who
are working in this area befamiliar with a lot of
standards, as well as frameworksand regulations.
But the challenge I would say inmy experience comes on the
aspect of applying that to yourorganization because I know it's
(03:03):
a consulting cliche statement onone size fits all does not one
size does not fit all so butwhat that really transpires and
means in the context of yourorganization is to understand
how you want to tailor yourcapabilities within the cyber
security program to the relevantrisk Uh, and understand the
(03:24):
implications of what thoseregulations mean.
And the final part of thatchallenge would also be that as
and when new regulations comeup, I've seen, you know,
organizations less mature,medium maturity to high
maturity.
Almost all of them struggle withthe aspect that.
Something new has come up andthey want to start from scratch
(03:47):
with respect to that compliance.
So the program needs to be builtin such a way where, you are
doing the basics right.
And believe it or not, even inthis day and age, while we talk
about artificial intelligence,blockchain, and all those
emerging technologies, Thenumber one reason for a cyber
security incident to affect anyorganization still remains the
(04:07):
basic block and tackle Aspectsthat get missed example being
you know, vulnerability orpatches not being applied on
time So yes, there are moresophisticated attacks But there
continues to be a sufficientnumber of missing elements on
basically doing the basicsright.
Aaron Pritz (04:26):
Yeah, I've totally seen that.
I feel like sometimes cyberteams or new leaders want to
jump to build the third story ofthe house.
And maybe the loft with the gameroom and the arcade before
laying the foundation to thehouse or maybe digging a
basement, uh, may not always bethe fun stuff like thousands or
millions of vulnerabilities isdaunting, but you are right,
(04:48):
like that is, most of the timeit's like vulnerability
exploited through a human errorthat linked to unpatched
vulnerabilities on core servers.
So I think back to the basics isalways one of the first things
that we make sure to call out.
And, you know, if those are gapsand in any kind of program,
Cody Rivers (05:06):
Yeah, Aaron, big commentary and hobby to a lot of
our listeners are, folks who arenew to cyber, they're growing in
their cyber careers or theirmature, you know, seasoned,
cyber executives.
But what's some kind of advice,with new regulation coming out,
as people are being tasked to domore with less, what's some kind
of general advice you would sayfor new consultants or new
(05:27):
practitioners who are gettinginto the arena?
Abhishek Bharti (05:30):
Great question.
I think my advice would be,continue to be a learner,
continue to be inquisitive,continue to keep up with the
learning.
If you can't rest on pastlaurels, if you want to succeed
in this industry and do well foryou yourself in your career and
as well as for the organizationsthat you work with, because
again, it may sound cliche, but.
(05:51):
Cyber security is so complex andchanging so fast, probably
fastest than any other field orin any other industry in this
world that you have to keep pacewith what is happening, and it
does not necessarily mean thatyou need to know all cutting
edge stuff.
So, for example, you know, thelatest buzzwords around quantum
and the cryptography world andthe crypto world.
(06:12):
Yes, it's good to know you needto increase your awareness, but
you don't all necessarily needto be become suddenly become
experts in quantum right of asof now, because the whole
industry will take a whilebefore we get there.
But having said that, if Icompare, let's say the quantum
computing buzzword with, let'ssay, the cloud technology.
Cloud has already, in myopinion, reached that tipping
(06:35):
point where it is applicable tomost organizations.
So if you are starting new inyour career and you are not
aware of how the cloudinfrastructure operates and you
are still thinking traditionaldata center infrastructure, then
you are falling behind the curveand are not going to be as
competitive in your career withrespect to, moving up in the
industry and getting the rightjobs.
Aaron Pritz (06:58):
How do you stay up to date?
How do you learn?
I've been just to share my own22nd version.
I every morning I have a newsaggregator.
Mine specifically is feedly, butI've got specific keywords and
it serves up, 10 to 20 newsarticles and I probably filter
it down to three or four thatI'll read, but that's one thing
that's been helpful for myself.
(07:19):
Consulting gives you anothervector.
But what are some of the bestways or tips for those listeners
that you stay abreast of thelatest?
Abhishek Bharti (07:26):
A couple of things.
I think, news aggregator iscertainly one of them.
I think it's a great, tool toGet the right message at least
quickly and be aware of what'shappening, in the industry
currently.
Another thing is you can't boilthe ocean, right?
And there is volumes ofinformation that you can't spend
all your day reading every day.
(07:48):
So you need to, beyond a certainpoint in your career, decide,
Hey, Which areas do you want tofocus on?
And try to then, invest timespecifically in that area.
So the days of being too much ofa generalist are gone.
So you need to carve thatspecialization for yourself.
So whether it is, strategy,whether it is regulatory stuff,
(08:10):
whether it is identity accessmanagement, you need to pick
certain areas you are keepingyourself updated on those
fields.
News aggregation sites arecertainly important.
Others I would suggest would beone, keeping up with some
certifications in relevant toyour sector and your industry
(08:32):
and you to study those areas alot more, right?
So you can be, challengingyourself and making it a little
bit more disciplined approach tocover those areas.
And the second would be I knowwe all talk about networking
sites and, collaborating withother folks in the industry.
Making sure you follow peoplewho are leaders in that space.
(08:53):
So that when they are sharingany article on some of these
networking sites, you are ableto, pay special attention or
take out time to read thosearticles because obviously they
will be sharing somethingrelevant, which will be useful.
Cody Rivers (09:05):
Yeah, excellent.
Excellent.
And well, speaking of knowledgeand learning new things, one
thing that we get a lot ofquestions about.
You have frameworks change andguidance changes.
But one thing I want to talkabout today is the SEC cyber
rule.
That kind of came out and we hada large influx of how does it
impact me?
Is it now?
Is it retro?
Is a current?
(09:25):
When does it take effect?
How do I define material?
So would love to kind of getyour summarization, your
thoughts on what leaders need tobe aware of and what they need
to be doing
Abhishek Bharti (09:35):
pretty great question and a great topic, I
would say, which is quiterelevant for a lot of companies
these days.
But, specifically to talk aboutthe SEC cyber rules.
So the rule that has recentlybeen finalized by the SEC is
around cyber securitydisclosures, and this is
relevant for all public listedcompanies.
So it does not matter whatindustry you are in as long as
(09:59):
you are publicly listed, whichmeans SEC is going to be your
regulator.
You are subject to these newrules on SEC cyber disclosures.
The rules themselves are quiteelaborate, but I'll try to
summarize it for our listenershere.
There are basically three partsto the rule, but before I go to
the three parts, I want to spenda little bit of time explaining
(10:21):
why this new rule was needed andwhy was it initiated.
So in 2011 and then subsequentlyin 2018, the SEC did give out
guidance around, being carefulwith cyber security risks for
organizations and especiallypublic listed organizations
because obviously investors arerelying on those companies to do
(10:42):
well and are putting in theirmoney by way of investing in
those stocks.
However, the SEC noticed that inspite of that guidance to, have
a lot of oversight, governanceand risk management around this
particular cyber security risk,which was obviously in the last
decade, becoming I would say atop five risk if you look at
enterprise risks for anyorganization in this day and
(11:03):
age, we are all reliant on I.
T.
Systems and with I.
T.
Systems and technology obviouslycomes cybersecurity risk.
But coming back to why the rulewas needed.
So the SEC noticed that post2018 when the guidance came out
specifically around cyberdisclosures and being
transparent with those risks.
Even then, the public listedcompanies were not being very
(11:25):
forthcoming with respect toreporting those risks.
Although, news and mediacoverage did talk about cyber
security incidents happening atthose organizations, but they
were not being formally reportedon a timely manner.
So the SEC felt that to givethem enough teeth to go after
organizations for noncompliance, One reason was to
(11:45):
make it a rule so that they nowhave explicit authority to go
after organizations that do notdo it.
But the intent is not for theSEC to, penalize organizations.
The intent is, transparency forthe investors.
So before, investor invest in astock of a public listed
company, they need to be fullyaware of all the risks.
(12:06):
associated with thatorganization, including cyber
security risks.
I know enterprise risks arebeing talked about, leaving
aside cyber, but the SEC feltcyber was important enough to be
explicitly called out.
As a result, they came up withthis guidance in 2018, like I
mentioned, but now they havemade it a rule.
Now let's come to what are,like, three broad expectations
(12:26):
of these rules.
The three broad expectations ofthese rules are That any
organization that is subject tothis rule has to demonstrate
oversight of risk managementoversight on cyber risk
management.
I should specify not justenterprise risk management
because enterprise riskmanagement has been around for a
while, but specificallydemonstrating cyber risk
(12:48):
management capabilities andoversight.
And by that, what I mean is notjust conducting a cyber risk
assessment, but also, regular,reporting at a decent cadence to
the board, to the auditcommittee on what those cyber
security risks look like for theorganization and how is the
organization geared up andprepared to deal with the cyber
security risks.
(13:08):
So that's number one broad areathat the SEC expects
organizations to manage.
And also disclose as part oftheir filing to the SEC.
So that's the first part of theexpectation
Aaron Pritz (13:20):
Before we move on to the second.
How much?
I think this is a big questionbeing discussed.
How much needs to be disclosed?
Is it?
A couple bullets.
Is it full transparency of allthe job aids and details?
Probably not.
But the answer is alwayssomewhere in the middle.
(13:41):
Where do we think that middle isshaping up to be?
Abhishek Bharti (13:44):
Yes, spot on, Aaron.
And the answer is definitely inthe middle.
I would say, uh, maybe less thanthe middle.
And the reason I say that isthis is obviously going to be
sensitive information andanything disclosed to the SEC
becomes public information.
So Yeah.
With respect to risk managementcapabilities and what the
organization is doing, what sortof cyber risks are they facing?
(14:06):
I think, to err on the side ofcaution, organizations will
disclose that they are, payingattention to it, how they are
paying attention to it, but maynot disclose too much granular
details around thosecapabilities as well as risks
faced by that particularorganization because once that
information becomes public, youare indirectly putting a target
on your back by disclosing toomuch.
(14:28):
So very important that,individuals or committees being
responsible for interaction withthe SEC in terms of reporting
requirements, do a collaborativesession with, people from other
departments and by otherdepartments.
I mean, like I expectorganizations to form
committees.
That will have representationfrom financial reporting from
(14:50):
offers finance.
From cyber security, fromcompliance as well as legal.
All these departments need tocome together to come to a
consensus as to what needs to bereported and how it needs to be
reported because you don't wantto give away too much to have a
further target on your back.
Cody Rivers (15:06):
Yeah
Aaron Pritz (15:06):
I suspect like having a playbook or some sort
of pre aligned plan is going tobe advantageous versus winging
it in mid December.
Is that a fair assumption?
Abhishek Bharti (15:17):
Definitely.
In fact, that is one of ourcommon recommendations.
We advise our clients to preparefor the situation.
God forbid they should not getaffected by a cyber security
incident that forces them toreport to the SEC.
But.
Being prepared is always better.
And I know that organizationscannot think of all the
possibilities of a potentialcyber security incident, but at
(15:39):
least the common ones that theyhave seen other organizations
suffer in the past or their ownorganizations suffer in the
past, they need to be preparedwith determining how and when
they will, determine whether itis reportable or not.
And then what extent would theyreport that to, the SEC,
including determining some Atleast initial draft language.
Aaron Pritz (15:59):
And that's on reporting, but even the risk
management and governance,that's not something you need to
wait on.
Like figuring out what you'vealready done and what level of
granularity that you're going togo to, report your program level
information or how youcommunicate with the board.
That's something that's even youcan even prepare more near.
Cody Rivers (16:19):
Well, and I thought about to Aaron.
So your point about that is Ilook at my definition, and I'd
be love to hear your thoughtshere.
You've got another contractlanguages and stuff that you see
a lot of, like data sharingagreement, you'll see incident
versus event and what definesthat, but you have a thing
reporting material breaches.
Material.
So I think, Aaron, your point,helping companies define what is
(16:41):
material for the company so theyknow when to report what not to
report.
But I think it might be a goodquestion.
So I'd love to hear yourthoughts on how you define
material.
And I know you're not lawyers,so this is not lawyer advice,
but it would love to hear yourthoughts on how companies figure
out to define what's materialand what's not material.
So in effect, what they do anddo that report.
Abhishek Bharti (16:59):
Excellent question.
So actually that ties verynicely with the second grouping
of what the SEC's expectationsfor.
So I'll tie your response tothat part.
So the second part ofexpectations of the SEC as we
all started touching on thattopic is reporting on incidents.
So any and every incident thathappens in your organization
obviously need not be reportedbecause one, it will overwhelm
(17:21):
the SEC and also overwhelm theorganization itself in terms of
preparing for those incidents.
So the expectation of the SECis, uh, they've used that term
as Cody mentioned, materialincidents need to be reported.
And materiality is a word quiteoften used in the context of
this.
regulation and it has beenaround in this space for quite a
while, but I want to distinguishin terms of what the expectation
(17:45):
of materiality is becauseclearly the SEC has not given a
formula or exact sort ofdefinition of how materiality
would apply in the context ofcyber security incident, but
based on my experience ofworking with many clients in the
space and helping and assistingthem in determining what it
should be, I'll share some of myinsights.
So the first part, as I wasalluding to the word materiality
(18:07):
has been around for a while.
In the financial audit worldthere is a dollar value
threshold that is typicallydefined, which sort of also ties
with the enterprise riskmanagement aspect of it on what
is an acceptable level of lossthat the organization can
sustain without affecting itscapabilities in the long term,
right?
So a dollar value threshold isdefined.
(18:29):
So in the financial audit worldside, if any transaction
mismatches that particulardollar value threshold, if it is
below the threshold, it can beignored for, easier terms to
understand.
But if it is beyond thatthreshold, then it needs to be
investigated and reported to theSEC and some investigation needs
(18:49):
to be done.
So the concept is similar herewhere any significant cyber
security incident needs to bereported.
Now, how do we define thatsignificant is really up to the
organization to determine.
And there is no easy answer forthis as you were alluding to
Cody.
So the challenge becomes, one,you can apply multiple inputs to
(19:10):
come to that determination.
The most important aspect arounddetermining this is whatever
criteria you come up with needsto be documented.
So the SEC, the first thing willthe SEC will come to review when
they examine you if you'rechosen for an examination is
whether this criteria was wellestablished, documented and
(19:30):
accepted by the seniormanagement and the board, right?
So coming up with a definedcriteria.
So as Aaron was saying, can wedo it on the fly?
No, you can't do it on the fly.
You can do it on the fly.
God forbid if you get selectedfor an examination, you will
fail and it's totallyimpossible.
You will incur the, wrath of theSEC in terms of monetary
(19:50):
penalties.
So coming back to what theseinputs could be, so one could
be, you know, your risk appetitebased on your well established
or already pre establishedenterprise.
risk management rules that yourorganization may already follow,
like what is your appetite for aregulatory penalty?
What is your, appetite for beingsubject to, regulatory
(20:12):
noncompliance?
Example could be, let's say youare a healthcare organization.
So HIPAA laws apply, right?
So at what point do you say if100 records worth of HIPAA
related sensitive PIIinformation was lost.
Is that going to be consideredsignificant enough?
Or is it going to be a thousandrecords?
Or is it going to be much morecritical and only ten records?
(20:33):
Or less than ten records?
So, that determination has to bemade internally by your privacy
team, by your legal team, byyour compliance team as only one
of the inputs.
The other possible inputs and Ican't obviously go through all
possibilities because it againneeds to be tailored assessed
for each organization Againcoming back to my original
(20:53):
comment on there's no one sizefits all philosophy here So it
really needs to be articulateddetermined and tailored for
every organization.
But just to give you anotherexample It would be Are you able
to quantify your cyber securityincident in some manners?
And if you are able to quantifyit, then based on your
enterprise risk level threshold,then you can say this particular
(21:15):
in cyber incident that happenedcost me, you know, 1 million and
my threshold for risk appetitewas 900, 000.
So it has exceeded thatthreshold.
Therefore, I need to reportthis, right?
So that is again one of thepossibilities organizations can
consider as they are thinking ofhow to make that determination
(21:36):
of what is going to bereportable and not reportable.
And then the last thing I'll sayis, on the requirement for four
business days, the rulecurrently says you need to
report any significant ormaterial event within four
business days.
Does your organization currentlyhave the capabilities once it
knows about the incident to makethat determination within four
(21:58):
business days and be ready toreport within four business
days.
So those are some things fororganizations to consider as we,
look at compliance with respectto this rule.
Aaron Pritz (22:08):
Yep.
So if an organization has toreport it once they've deemed it
material.
And if material, I think I'vegot a reference here, means that
there's a substantial likelihoodthat a reasonable shareholder
would consider it important toan investment decision, how long
can an organization reasonablytake to determine materiality?
(22:29):
Because I've seen some languageon there determination must be
made without unreasonable delay,but that's qualified.
So could I get away with a yearof determining materiality?
This rhetorical, uh, and then belike, Oh yes, it was, here's a
year later.
That's not going to solveanything.
What is your read on that?
Abhishek Bharti (22:46):
Yeah, that's a great question.
And again, that's the gray areathat the SEC has left and people
consider it as both good newsand bad news.
Bad news because they have notprovided the clarity, but good
news because it givesorganizations that flexibility
to come up with thatdetermination.
So I think similar to ourearlier conversation, the answer
lies based on what is determinedto be by the organization
(23:12):
itself, right?
So tomorrow, let's say the SEC,you determine as you were giving
the example, Aaron, and I willsay I'll take one year to
determine whether it is materialor not.
So the SEC will not penalize youfor Determining that, you will
take one year, but as part ofyour risk management processes,
when you do end up reporting,all the investors would know
(23:34):
that this organization, whichclaims to be mature enough is
taking one year to determinewhether it is material or not.
So some of the onus ondetermining what is a reasonable
time period automatically fallson the organization in itself.
So clearly, while the SEC givesyou that flexibility, you cannot
have all the time in the worldto make that determination.
(23:55):
And there is additionalcomplexity where even historical
events in aggregate, if they arein future considered to be
material you are expected toreport to the SEC on that aspect
as well.
So organizations that may havedetermined something to be
immaterial in the past year facesimilar incidents in the coming
year.
Then you are required to thencreate that analysis to
(24:17):
determine all these incidentsseem to be related.
And therefore, in aggregate,they become material.
So those are some of thechallenges that organizations
need to consider as they preparetheir capabilities to meet these
objectives.
Cody Rivers (24:30):
Yeah.
And so I have a two partquestion coming up.
So one, when does this go intoeffect?
You know, from a hard date?
And I think my follow onquestion would be, is there a
statute of limits to it?
So is it after said time, youcan't go back, to a certain
point in time.
Not that I'm playing devil'sadvocate here, but if someone
were to miss the four day windowIs there a time they want to
(24:51):
wait and keep it quiet when,hey, we're outside a window set
your limits to report thisconcern?
Abhishek Bharti (24:56):
Well, I would say it based on what has been
determined or documentedinternally as the process for
the organization.
So like I was saying, you cancreate a policy that says we
will take no more than two weeksto determine or we will take no
more than one month to determinewhether it is material or not.
So the deadline of four dayscannot be missed.
(25:18):
I would say so at a minimum youcan choose to inform the SEC
that yes, we feel that it ispotentially a significant event,
but we are still investigatingor continuing to investigate,
but your obligation to reportonce you have made that internal
policy determination that thisis your internal deadline to
come up with a decision of go,no go needs to be honored.
(25:40):
So to speak, you can't miss thatfour day deadline.
You have to inform the SEC.
Otherwise, you can miss it.
Obviously, nobody is going toforce you to recommend.
But then you are inviting theSEC to come and penalize you.
Aaron Pritz (25:53):
Yeah, no, great points.
I'll be as we're coming to aclose here for those that are
interested in learning more.
We actually co authored TimSewell, Abhi and myself.
Co authored a white paper.
We kept it brief and short.
I think it's three pages.
But it gives some more context,to the specific language that
(26:13):
Abhi was talking about.
And it also provides sometactics of how to get ready and
work through some of thechallenges, especially on the
governance and risk managementreporting.
And I think one misnomer, likeyou got to report that stuff as
part of a separate part of thiswhole, cyber SEC cyber rule,
you've got to report thatannually, whether you have an
incident or not.
(26:34):
So there's no waiting arounduntil you have an incident.
You got to start working on whatyou're going to say, literally
after December.
What is it?
Abhi 15th.
Abhishek Bharti (26:43):
Yes, December 15th is the deadline.
And actually are in that kind oftouches to that third pillar
that I had mentioned three partsof the SEC rule.
The third part is theadministrative requirements of
reporting using certainformalities of forms that the
SEC has already pre established.
So, with respect to informingthe SEC about, potential sort of
material cybersecurity incident,there's a Form 8K, and I'll not
(27:05):
go into details of what the 8Kis.
People can Google it and see it.
And then on a quarterly basis,there is another mandatory
reporting requirement by theSEC, which is called the Form
10Q, Q standing for quarterly.
And then on an annual basis, thesame Form 10Q becomes.
or is called 10K, K as in forthe annual reporting
(27:26):
requirements.
So while the incident may notwait for your 10Q or a 10, you
know, the timing cannot syncnecessarily with the filing with
the SEC on the 10Q or the 10K.
That is why the SEC has an outof turn reporting mechanism of
8K to meet those four businessday requirements to use that
form for reporting.
(27:46):
But on an annual basis, this iswhat you were alluding to, you,
whether or not an organizationgets faced with a cybersecurity
incident, they still need todisclose their cybersecurity
risk management, governance,reporting aspects.
to the SEC by way of this annualfiling in the 10K.
And that is very important.
And the last thing I'll add toall of these, which often gets
(28:08):
missed by organizationsconsidering, compliance
requirements and capabilities,is this cyber requirements,
while it has been called out asa cyber disclosure rule and as a
new rule, The SEC, based on the2018 guidance itself, has rights
to come and, you know,investigate and penalize
organizations that need not waittill December 15th deadline.
But the missing part that oftengets overlooked is when this
(28:32):
incident, let's say, is faced,such an incident is being faced
by the organization, they needto ensure that other compliance,
associated compliancerequirements are also being met.
And controls put in, to addressthose requirements.
And by those others, I'llspecifically give one example,
which is on insider trading.
So, because a cybersecurityincident which is being
(28:52):
potentially considered assignificant or material for
reporting to the SEC issensitive information, the
organization needs to haveenough controls to ensure that
this information is being sharedon a need to know basis.
And that no insider trading ishappening, as a result of this.
So the compliance department,the IT department needs to
monitor the employees.
To ensure that none of thathappens by exploiting this
(29:15):
information beforehand.
Aaron Pritz (29:17):
Perhaps that's because there's been arrests and
indictments on such behaviorsafter a cyber incident.
There's always a reason to thesenew rules, right?
Abhishek Bharti (29:25):
Absolutely.
Absolutely.
You're spot on.
Aaron Pritz (29:28):
Awesome.
Well, Abhi, thanks for coming onthe show today.
Really appreciate the deep ormoderate dive that we did here.
And like I said, for those thatwant to learn more, we'll put a
link to the white paper.
In the show notes as well as onthe social media posts so that
you can go check it out and,follow up with us if you guys
have any questions.
Cody Rivers (29:46):
Yeah.
Abhi.
Thanks again, sir.
It was a pleasure chatting withyou and I'm sure our listeners
got some great knowledge andsome great tips here for all the
upcoming, rules and everything.
Abhishek Bharti (29:53):
Sounds good.
Thanks everyone.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com