Here are the slides from my February 28, 2013 RSA presentation, along with speaker notes that reflect what I wanted to say in my allotted 20 minutes. Luckily, I think I was able to stick to the notes pretty well.
The general thrust of the presentation was that firms’ risk factor disclosures made subsequent to the SEC’s updated guidance on “cyber incidents and risk” are much more likely to actually be cyber-related, and that future disclosures will increasingly mention actual incident history, rather than be phrased hypothetically. In support of this latter contention, I briefly update some observations made in my MirCon 2012 presentation.
Recent news reports, in particular a syndicated Washington Post article, seem to be in line with my prediction.