The Securities and Exchange Commission (SEC) has implemented a new rule that requires public companies to be more transparent about cybersecurity incidents. Under this rule, companies must disclose any material cybersecurity incidents within four business days of determining their severity. The disclosure should include details about the nature of the incident, its impact on the company, and the company’s response. The SEC’s proposed rules also cover various aspects of cybersecurity, such as written policies and procedures, IT risk assessments, user security, and access controls, threat and vulnerability management, incident response and recovery plans, board oversight, recordkeeping, and incident reporting.
To help CISOs seamlessly incorporate this requirement into their incident response plan, here are some actionable tips. First, it is crucial to revisit and update the incident response plan to ensure preparedness for a security breach or unexpected event. Crafting a well-defined notification procedure that outlines the steps to comply with the SEC’s requirement is also essential. Assigning roles and responsibilities for crafting and forwarding notifications to relevant parties can facilitate efficient communication. Furthermore, defining criteria for determining the materiality of an incident is critical to meeting the four-day reporting deadline.
Data protection and disclosure balance is another important consideration. Developing protocols to protect confidential information during public disclosures and collaborating closely with legal counsel is necessary to ensure compliance with disclosure regulations. Regularly reviewing and updating the incident response plan, as well as engaging external cybersecurity experts to conduct assessments, can help identify gaps and vulnerabilities that require immediate attention. Organizing tabletop exercises that simulate real-world cybersecurity incidents can also strengthen the team’s skills and preparedness for the new reporting deadline.
Fostering a culture of cybersecurity awareness throughout the company is vital. Encouraging employees to promptly report potential threats empowers the team to respond swiftly and mitigate risks. Additionally, asking key questions related to incident reporting and management, incident management policies and procedures, governance and risk management, and board and leadership awareness can help determine the organization’s readiness to comply with the new SEC rule.
In conclusion, public companies must adhere to the SEC’s new cybersecurity incident disclosure rule, which emphasizes transparency in reporting material cybersecurity incidents. By revisiting incident response plans, updating notification procedures, conducting material incident assessments, developing data protection protocols, conducting regular reviews and assessments, organizing tabletop exercises, and fostering a culture of cybersecurity awareness, companies can ensure compliance with the SEC’s requirements.
Key Points:
1. The SEC’s new rule requires public companies to disclose material cybersecurity incidents within four business days.
2. Companies must provide details about the incident’s nature, impact, and response in their disclosure.
3. The proposed rules cover various aspects of cybersecurity, including policies, risk assessments, controls, and incident reporting.
4. CISOs can incorporate the requirement by updating their incident response plan, refining notification procedures, and conducting assessments.
5. Regular plan reviews, tabletop exercises, and fostering a culture of awareness are essential for preparedness and compliance.
