SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect

The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18.
The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose any material breach within four business days of discovering that the incident has material impact.
Companies will have to submit annual reports with information on their cybersecurity risk management, strategy, and governance.
When the government agency announced the new rules, some industry professionals and government representatives raised concerns that forcing companies to disclose information in this manner could actually help threat actors, as the information provided by the victim to the SEC could be very useful.
This includes telling the attacker when the breach was discovered, what is known about it, and the potential financial impact, which could be useful for setting a ransom demand in the case of ransomware attacks.
In a blog post published last week, Erik Gerding, director of the SEC's Division of Corporation Finance, shared some clarifications on what information must be disclosed by companies and when it must be disclosed.
Gerding clarified that the final version of the rules is more focused on the material impacts of an incident and requires less information compared to the initial version.
Companies are specifically told that they do not need to disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process.
He also provided additional clarifications on the 'four business day' requirement, noting that it's in line with other events that companies are required to report to the SEC, such as bankruptcy.
Public firms that suffer a data breach will be required to inform the SEC within four business days of determining that the incident is material, but their initial notification does not need to contain complete information about the incident.
A subsequent filing can be used to disclose information obtained after the four-day deadline.
Gerding highlighted that the final version of the rule also includes some changes regarding the annual disclosures in an effort to avoid misinterpretations that could put unnecessary pressure on companies.
A requirement to disclose whether any board members have cybersecurity expertise has been removed as it may have been interpreted as a requirement to retain an expert on the board.
Such an expert could come at the expense of other, more important cybersecurity investments.
Some companies will be allowed to delay their disclosure to the SEC if there is substantial risk to public safety or national security.
Organizations that have suffered a breach can request an exemption if they believe the disclosure will harm public safety or national security.
The Justice Department can grant delays ranging between 30 and 120 business days - a delay exceeding 120 days can only be granted by the SEC. The FBI, which is accepting delay requests on behalf of the Justice Department, recently provided some clarifications on this process.
Summer Fowler, faculty at IANS Research and CISO at Torc Robotics, has shared some recommendations on how companies can prepare for complying with the SEC cyber incident disclosure rules.
Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, has shared some advice for organizations using operational technology systems.


This Cyber News was published on www.securityweek.com. Publication date: Mon, 18 Dec 2023 12:13:04 +0000


Cyber News related to SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect

SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect - The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18. The SEC announced in late July that it had adopted new cybersecurity ...
11 months ago Securityweek.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
11 months ago Techrepublic.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
1 year ago Feeds.dzone.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
2 months ago Cyberdefensemagazine.com
MeridianLink confirms cyberattack after ransomware gang claims to report company to SEC - Financial software company MeridianLink confirmed that it is dealing with a cyberattack after the hackers behind the incident took extraordinary measures to pressure the company into paying a ransom. MeridianLink, which reported more than $76 million ...
1 year ago Therecord.media
What Are Firewall Rules? Ultimate Guide - Firewall rules are preconfigured, logical computing controls that give a firewall instructions for permitting and blocking network traffic. Network admins must configure firewall rules that protect their data and applications from threat actors. ...
10 months ago Esecurityplanet.com
Bringing Composability to Firewalls with Runtime Protection Rules - Rule control - Customers could not easily write their own firewall rules because of the use of proprietary languages that most teams weren't familiar with unless they received specialized training, or behind walled gardens only accessible by vendor ...
9 months ago Securityboulevard.com
What is digital forensics and incident response? - Digital forensics and incident response is a combined set of cybersecurity operations that incident response teams use to detect, investigate and respond to cybersecurity events. As the acronym implies, DFIR integrates digital forensics and incident ...
10 months ago Techtarget.com
Important details about CIRCIA ransomware reporting - This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments. Ransomware attacks have become ...
6 months ago Securityintelligence.com
Incident Response Plan: How to Build, Examples, Template - A strong incident response plan - guidance that dictates what to do in the event of a security incident - is vital to ensure organizations can recover from an attack or other cybersecurity event and minimize potential disruption to company ...
10 months ago Techtarget.com
New Microsoft Incident Response team guide shares best practices for security teams and leaders - The incident response process can be a maze that security professionals must quickly learn to navigate-which is no easy task. Surprisingly, many organizations still lack a coordinated incident response plan, and even fewer consistently apply it. ...
11 months ago Microsoft.com
Fighting ransomware: A guide to getting the right cybersecurity insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. It's more ...
10 months ago Scmagazine.com
How to Conduct Incident Response Tabletop Exercises - An incident response tabletop exercise is an activity that involves testing the processes outlined in an incident response plan. Attack simulations are run to ensure incident response team members know their roles and responsibilities - and whether ...
10 months ago Techtarget.com
Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
10 months ago Securityzap.com
Cyber Insurance: A Smart Investment to Protect Your Business from Cyber Threats in 2023 - Don't wait until it's too late - get cyber insurance today and secure your business for tomorrow. According to the U.S. Federal Trade Commission, cyber insurance is a particular type of insurance that helps businesses mitigate financial losses ...
9 months ago Cyberdefensemagazine.com
What Do CISOs Have to Do to Meet New SEC Regulations? - Ilona Cohen, Chief Legal and Policy Officer, HackerOne: It is never an easy time to be a chief information security officer, but the past few months have felt particularly challenging. The recent charges from the US Security and Exchange Commission ...
11 months ago Darkreading.com
How to build a cyber incident response team - As an incident response manager himself, Valentin regularly coordinates security responses for companies of all shapes and sizes - including many of the examples discussed in this post. He explains everything you need to know about building and ...
11 months ago Heimdalsecurity.com
Biden veto waiting for bill to kill SEC breach report rule The Register - The Biden administration has expressed to congressional representatives its strong opposition to undoing the Securities and Exchange Commission's strict data breach reporting rule. The joint resolution, along with House Joint Resolution 100, ...
10 months ago Go.theregister.com
4 key steps to building an incident response plan - In this Help Net Security interview, Mike Toole, head of security and IT at Blumira, discusses the components of an effective security incident response strategy and how they work together to ensure organizations can address cybersecurity issues. An ...
4 months ago Helpnetsecurity.com
SEC to require financial firms to have data breach incident plans - The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. The rules - pushed through as ...
6 months ago Therecord.media
SEC to require financial firms to have data breach incident plans - The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. The rules - pushed through as ...
6 months ago Therecord.media
What CISOs Should Exclude From SEC Cybersecurity Filings - As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more ...
1 year ago Darkreading.com
Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
1 year ago Securityweek.com
A Heimdal MXDR Expert on Incident Response Best Practices and Myth Busting - I got to talk to Dragoș Roșioru, a seasoned MXDR expert, about incident response best practices and challenges. Get an in-depth understanding of the do's and don'ts in incident response as Dragoș explains how to avoid the most common mistakes ...
10 months ago Heimdalsecurity.com
New SEC Cybersecurity Reporting Rules Take Effect - In the press release announcing the new cybersecurity rules, SEC Chairman Gary Gensler said,. Whether a company loses a factory in a fire - or millions of files in a cybersecurity incident - it may be material to investors. Currently, many public ...
11 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)