Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines

Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around disclosure of cybersecurity incidents go into effect on Dec. 15 for public companies with fiscal years starting on or after that date. Publicly traded companies must annually report their processes for spotting, judging and mitigating cybersecurity threats. They are also to report the possible material effects of such threats, the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling cybersecurity threats. In addition to the annual reports, starting on Dec. 18, all publicly traded companies must disclose material cybersecurity incidents to the SEC within four days if the incident is determined to be material. The disclosure must be made as Item 1.05 on SEC Form 8-K. Jump to: Drafting new disclosures and smoothing out the disclosure process CISOs, CFOs and other business leaders can prepare for these rules going into effect by drafting new disclosures well before the end of the fiscal year so that all relevant employees have the chance to review them. IT, information security, legal, SEC reporting teams and external advisors should all be involved in creating and evaluating disclosure controls and procedures. Many companies are already in the process of conducting readiness assessments, said Naj Adib, principal of cyber and strategic risk at Deloitte, in a phone interview with TechRepublic. Public companies are already used to filling out 8-K and 10-K disclosures for major events or new shares of stock, respectively. Now, those organizations are asking what they need to alter or enhance about their disclosure procedures, incident response and existing cyber capabilities. SEE: Apple recommends users update their OS against two security vulnerabilities. (TechRepublic) “Ultimately what’s changing is the orchestration between cyber and IT and the disclosure committee and the folks that do the disclosure,” Adib said. The new rules add on to standard incident response processes. Now, “We need to take the results of those processes and escalate to a group of individuals that would be responsible for determining materiality,” Adib said. “That could be anybody on the disclosure committee, people that are part of legal counsel and the office of the corporate secretary, depending on the organization.” Determining whether a cybersecurity incident is material Determining whether an incident is material can be difficult, and the SEC doesn’t provide an exact definition. A material incident in securities law is generally considered an incident in which “there is a substantial likelihood that a reasonable shareholder would consider it important,” according to three legal cases cited by the SEC. When determining whether an incident is material, disclosure committees should look at whether the organization is at risk of financial loss, a tarnished reputation, significant downtime or a loss of public confidence, Deloitte said. In order to make the process smooth, people, process and technology all need to be aligned, Adib said. Organizations need to build processes to get people from different stakeholder groups – cyber, IT, finance, legal – together on a disclosure committee to discuss a potential incident. Those people will need to make a professional judgment call about whether the incident is material. The technology used to determine materiality will be different depending on the organization, but will generally include: Security information and event management platforms. Security orchestration, automation and response platforms. Threat intelligence platforms. Threat response platforms. Ticketing platforms. “You have to have these platforms, tools, processes and capabilities in play in order to be able to identify that there’s a cyber incident and then take it up the chain to make a materiality determination,” Adib said. “But as we know, tools are only as good as the people that deploy them.” In the event of an incident being considered for materiality, Adib said organizations need to be sure they consider: Who’s at the table? Do we have enough information? How does the incident affect our business? In Deloitte’s plans for determining materiality based on the SEC guidance, they use a taxonomy including various risk domains: financial, operational, reputational, regulatory, extended enterprise (third parties, vendors and customers), strategic, technological and talent (health and safety), Adib said. Companies strengthen cybersecurity rules in response The purpose of the rules is to inform investors of the incident’s possible impact to “benefit investors, companies and the markets connecting them,” said SEC Chair Gary Gensler in a press release posted on July 26, 2023. On Aug. 2, 2022, Deloitte ran a poll of more than 1,300 C-suite and other executives in publicly traded organizations and found that 64.8% planned to strengthen their cybersecurity efforts in response to the SEC’s new rules. And, more than half (54.1%) of the executives surveyed said they would push third parties to improve their cyber programs in response to the SEC’s new rules. The poll was held during a webinar about the SEC’s new requirements.

This Cyber News was published on www.techrepublic.com. Publication date: Thu, 07 Dec 2023 17:13:38 +0000


Cyber News related to Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines

What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
1 month ago Cyberdefensemagazine.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
11 months ago Techrepublic.com
Bringing Composability to Firewalls with Runtime Protection Rules - Rule control - Customers could not easily write their own firewall rules because of the use of proprietary languages that most teams weren't familiar with unless they received specialized training, or behind walled gardens only accessible by vendor ...
9 months ago Securityboulevard.com
What Are Firewall Rules? Ultimate Guide - Firewall rules are preconfigured, logical computing controls that give a firewall instructions for permitting and blocking network traffic. Network admins must configure firewall rules that protect their data and applications from threat actors. ...
9 months ago Esecurityplanet.com
The ticking time bomb of Microsoft Exchange Server 2013 - This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps. In my own ...
10 months ago Doublepulsar.com
Tell the FCC It Must Clarify Its Rules to Prevent Loopholes That Will Swallow Net Neutrality Whole - The Federal Communications Commission has released draft rules to reinstate net neutrality, with a vote on adopting the rules to come on the 25th of April. The FCC needs to close some loopholes in the draft rules before then. Net neutrality is the ...
7 months ago Eff.org
Cyber Insurance: A Smart Investment to Protect Your Business from Cyber Threats in 2023 - Don't wait until it's too late - get cyber insurance today and secure your business for tomorrow. According to the U.S. Federal Trade Commission, cyber insurance is a particular type of insurance that helps businesses mitigate financial losses ...
9 months ago Cyberdefensemagazine.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
11 months ago Feeds.dzone.com
Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
9 months ago Securityzap.com
Fighting ransomware: A guide to getting the right cybersecurity insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. It's more ...
10 months ago Scmagazine.com
Wargames director Jackie Schneider on why cyber is one of 'the most interesting scholarly puzzles' - In other games, we had people from Silicon Valley who were leading AI companies or cyber companies. What we found is those who had expertise in cyber operations were more likely to be more nuanced about how they used the cyber capability. On a larger ...
5 months ago Therecord.media
Three Key Threats Fueling the Future of Cyber Attacks - Improvements in cyber security and business continuity are helping to combat encryption-based ransomware attacks, yet the cyber threat landscape is continually evolving. Protecting an organization against intrusion remains a cat and mouse game, in ...
7 months ago Cyberdefensemagazine.com
Does Pentesting Actually Save You Money On Cyber Insurance Premiums? - Way back in the cyber dark ages of the early 1990s as many households were buying their first candy-colored Macintoshes and using them to play Oregon Trail and visit AOL chat rooms, many businesses started venturing into the digital realm as well by ...
11 months ago Securityboulevard.com
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
9 months ago Cyberdefensemagazine.com
Meta's 'Pay or Consent' Data Model Breaches EU Law - The EU Commission has informed Meta that its 'pay or consent' model breaches EU law as it does not allow users to freely consent to their personal data being collected for advertising purposes. The Commission's preliminary view is that the tech ...
4 months ago Infosecurity-magazine.com
IT Professionals in ASEAN Confronting Rising Cyber Security Risks - The ASEAN region is seeing more cyber attacks as digitisation advances. In July 2023, the Association of Southeast Asian Nations officially opened a joint cyber security information sharing and research centre, or Cybersecurity and Information Centre ...
11 months ago Techrepublic.com
Uncertainty Is the Biggest Challenge to Australia's Cyber Security Strategy - Political shifts could lead to changes in Australia's cyber security strategy. Early in 2023, as the Australian government started to craft its cyber security vision, it met with opposition at both ends of the political spectrum. On the right wing, ...
10 months ago Techrepublic.com
SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect - The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18. The SEC announced in late July that it had adopted new cybersecurity ...
11 months ago Securityweek.com
Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
1 year ago Securityweek.com
The Evolution of Cyber Threats: Past, Present, and Future - Cyber threats have evolved significantly over time, posing increasing risks to individuals, organizations, and governments in our interconnected world. Let's explore the past, present, and future of cyber threats to better understand how to protect ...
9 months ago Securityzap.com
Enabling Threat-Informed Cybersecurity: Evolving CISA's Approach to Cyber Threat Information Sharing - One of CISA's most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange ...
11 months ago Cisa.gov
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
1 month ago Aws.amazon.com
Establishing New Rules for Cyber Warfare - The efforts of the International Committee of the Red Cross to establish rules of engagement to combatants in a cyberwar should be applauded internationally, even if adherence is likely to be limited. The ICRC recently released a set of rules for ...
11 months ago Darkreading.com
Sigma rules for Linux and MacOS ~ VirusTotal Blog - TLDR: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows. We recently discussed how to maximize the value of Sigma rules by easily converting them to YARA Livehunts. At that time ...
11 months ago Blog.virustotal.com
Worried about job security, cyber teams hide security incidents - Between a growing talent shortage, alert fatigue, and new sophisticated attack methods, companies are more susceptible than ever. The research reveals that 40% of cyber teams have not reported a cyber incident out of fear of losing their jobs - a ...
5 months ago Helpnetsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)