SANS Cyber Compliance Countdown

As we head into the last quarter of 2023, three major mandate changes are occurring, each positioned to make a large impact on how businesses, governmental bodies, and critical sector organizations operate.  The goal of the SANS Cyber Compliance Countdown is to focus on what you need to know in these complicated and broad requirements and to offer solutions on how to meet these directives.  


Welcome & Opening Remarks

Brian Correia

Compliance Countdown Kickoff Panel
Moderator: Brian Correia

Luna Bloom - Chief, Office of Rulemaking, Division of Corporation Finance, U.S. Securities and Exchange Commission
Mark Gorak - Principal Director for Resources & Analysis, Office of the Chief Information Officer, Department of Defense

Join us for a kickoff of the Compliance Countdown featuring the officials behind these initiatives with a lively discussion on what you need to know to be compliant. There is a much more global trend of capabilities and skills being validated as a part of adequate risk management. Learn the mission, better understand how each one of these mandates will affect your organization and have an opportunity to present questions to the moderator. 

What do Regulatory Changes Really Mean for Your Cyber Incident Management Plans and Reporting

Steve Armstrong-Godwin

There is growing concern amongst some executives regarding the new regulations for reporting on how to handle a cyber incident and incident disclosure on both the SEC and NIS II mandates. In this session we will talk about what you should do during a cyber incident and how it looks like on the ground, how to get your IR plans tested, and what a solid Incident Management plan looks like for reporting purposes. We will explain and offer solutions about what triggers the clock and the levels of visibility or incident understanding needed to be able to comfortably meet the new requirements. 

Finally, we will look at what you could be doing between now and the enforcement of the new regulations, including building training exercises, major incident skills, and team cohesion.  We will also provide a checklist of best practices to include on such reporting whether it is a management plan or if you experience a cyber incident. 

Understanding the Risk Management Mandates in 2023 Cybersecurity Regulations

James Tarala

Cybersecurity breaches and data disclosure rates continue to increase every year. In response, regulatory bodies, including the SEC, the State of New York (NYDFS), ENISE (NIS2), and others, have issued regulatory directives emphasizing the necessity for cybersecurity risk assessments to drive decision-making and reporting. In this session, we will explain what you need to know on these recent mandates, providing a detailed analysis of the guidelines with solutions to ensure rigorous organizational compliance. This session is crucial for those seeking to proficiently navigate contemporary regulatory requirements and enhance their organization's cyber resilience. Ensure your readiness by gaining insight into these imperative regulatory evolution's.

All attendees will also receive a risk mitigation report checklist.

Compliance Countdown Conclusion

Brian Correia    

Join us for a conclusion and a discussion on the highlights from the Compliance Countdown event.   Much like other industries where professionalization requires a measurable mix and level of capability in a team, this is a developing trend that will be a factor in regulator decisions, customer response, and liabilities. Regulators across the world are considering whether you have the right baseline of skills in your team to use the tools to drive security more actively We will follow-up on questions from the audience and offer you some tools that can validate the skills validation of your security teams.

Below is a quick overview of the changes and this forum dives into what exactly you need to do to maintain compliance.

1. SEC's Mandate: Unveiled in August and set to be enforced by December 18th, signifies a pivot in reporting cybersecurity incidents. The mandate makes it imperative:

  • To report any cyber incident.
  • For management and security teams to not only possess cyber expertise but also ensure board reporting. Does this also involve consulting with outside counsel? Let’s find out.
  • To produce a Cyber Report, sculpted along the lines of a Financial Report, presenting a transparent picture of an entity’s cyber health.

2. DoD 8140.3: Signed in February with certification/training/education options slated for release this December, the DoD8140.3 mandate will be enforced by February 25 for cyber and February 26 with IT personnel. 

  • Any individual within the DoD, including contractors, allied nations, and a staggering number between 350-400K of military personnel alone, must validate their cyber skill set.
  • Compliance and validation of cybersecurity skills are non-negotiable.

3. NIS II Directive – Europe's Cyber Beacon Heralded as potentially the next GDPR, the EU-based NIS II Directive, released in the 1st Quarter of 2023, calls for compliance by October 24. 

  • Any Critical Sector Organization and country, emphasizing the broad spectrum of its applicability.
  • ICS and incident reporting, signaling a drive towards a more fortified, responsive cyber environment.
  • A focused effort on building and nurturing a cybersecurity workforce that's equipped for tomorrow's challenges.

Cyber Compliance Countdown