Wade's excellent post on LinkedIn reminds me of the not terribly useful new SEC disclosure rules in re cybersecurity incidents. It's all well and good that companies have to issue an SEC filing when they experience a big incident, but in most cases these days that's like getting a birthday card three days late. By that time, everyone knows you've been hacked because your services are all down hard and have been for hours or days.

And yet somehow companies aren't required to file a teensy weensy update when they decide to pay a $22M ransom a few weeks later? Pshaw.

Also, just once it would be nice if we had some requirements that said victims have to help explain how they got owned to others, and maybe even provide some actionable information at some point (when everyone's hair is no longer on fire).