The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure.
"Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
What Is a "Material Cybersecurity Incident"? The new rules establish requirements for reporting material cybersecurity incidents.
For tech folks, a phrase like "Material cybersecurity incident" can be tough legalese to decipher.
For "Cybersecurity incident," the SEC defines the term for us: "An unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."
What Is the Timeframe for Reporting an Incident? Once an incident is deemed "Material," affected organizations have to file SEC Form 8-K within four business days.
Which Organizations Are Affected? Public companies are affected by the new SEC rules.
Note that the forms aren't new, but the new SEC rules have added new requirements related to cybersecurity disclosures.
Form What is the form used for as it relates to the new rules? When is it required? 8-K To disclose information related to any material cybersecurity incident.
Item 1.05 of Form 8-K must be filed within four business days of a cybersecurity incident being deemed material 10-K Annually 6-K After a material cybersecurity incident 20-F Annually How Is This Different From Other Standards in the Past? For publicly traded companies, rules and regulations are nothing new.
Standardization in reporting requirements: Previously, cybersecurity incidents were reported with varying levels of detail and frequency.
The new SEC rules standardize how and when an organization must report incidents.
How Do the New SEC Rules Affect Your Cybersecurity Measures? The new SEC rules for public companies effectively create cybersecurity, disclosure, and governance requirements that organizations must address in their internal processes and policies.
The new rules mean that affected organizations must quickly detect and analyze cybersecurity incidents.
Incident response, which covers the ability to recover from cybersecurity incidents and capture the relevant data to disclose its "Nature, scope, and timing" to shareholders.
When coupled with effective logging, SIEM platforms provide many of the capabilities organizations need to comply with the new SEC cybersecurity rules.
Why Logging Is Essential for Cybersecurity Log management is a critical part of any organization's cybersecurity toolkit.
Conclusion The new SEC rules help standardize cybersecurity incident disclosures and emphasize the importance of governance in addressing cybersecurity risk.
For publicly traded organizations, these rules add specificity and structure to handling cybersecurity incidents and reporting on cybersecurity posture.
Specifically platforms that enable effective logging and incident response, are essential to tying together a cybersecurity strategy that mitigates risk and enables adherence to the new rules.
This Cyber News was published on feeds.dzone.com. Publication date: Sat, 02 Dec 2023 16:43:05 +0000