Understanding the New SEC Rules for Disclosing Cybersecurity Incidents

The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure.
"Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
What Is a "Material Cybersecurity Incident"? The new rules establish requirements for reporting material cybersecurity incidents.
For tech folks, a phrase like "Material cybersecurity incident" can be tough legalese to decipher.
For "Cybersecurity incident," the SEC defines the term for us: "An unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."
What Is the Timeframe for Reporting an Incident? Once an incident is deemed "Material," affected organizations have to file SEC Form 8-K within four business days.
Which Organizations Are Affected? Public companies are affected by the new SEC rules.
Note that the forms aren't new, but the new SEC rules have added new requirements related to cybersecurity disclosures.
Form What is the form used for as it relates to the new rules? When is it required? 8-K To disclose information related to any material cybersecurity incident.
Item 1.05 of Form 8-K must be filed within four business days of a cybersecurity incident being deemed material 10-K Annually 6-K After a material cybersecurity incident 20-F Annually How Is This Different From Other Standards in the Past? For publicly traded companies, rules and regulations are nothing new.
Standardization in reporting requirements: Previously, cybersecurity incidents were reported with varying levels of detail and frequency.
The new SEC rules standardize how and when an organization must report incidents.
How Do the New SEC Rules Affect Your Cybersecurity Measures? The new SEC rules for public companies effectively create cybersecurity, disclosure, and governance requirements that organizations must address in their internal processes and policies.
The new rules mean that affected organizations must quickly detect and analyze cybersecurity incidents.
Incident response, which covers the ability to recover from cybersecurity incidents and capture the relevant data to disclose its "Nature, scope, and timing" to shareholders.
When coupled with effective logging, SIEM platforms provide many of the capabilities organizations need to comply with the new SEC cybersecurity rules.
Why Logging Is Essential for Cybersecurity Log management is a critical part of any organization's cybersecurity toolkit.
Conclusion The new SEC rules help standardize cybersecurity incident disclosures and emphasize the importance of governance in addressing cybersecurity risk.
For publicly traded organizations, these rules add specificity and structure to handling cybersecurity incidents and reporting on cybersecurity posture.
Specifically platforms that enable effective logging and incident response, are essential to tying together a cybersecurity strategy that mitigates risk and enables adherence to the new rules.


This Cyber News was published on feeds.dzone.com. Publication date: Sat, 02 Dec 2023 16:43:05 +0000


Cyber News related to Understanding the New SEC Rules for Disclosing Cybersecurity Incidents

Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
1 year ago Feeds.dzone.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
1 year ago Techrepublic.com
Bringing Composability to Firewalls with Runtime Protection Rules - Rule control - Customers could not easily write their own firewall rules because of the use of proprietary languages that most teams weren't familiar with unless they received specialized training, or behind walled gardens only accessible by vendor ...
10 months ago Securityboulevard.com
What Are Firewall Rules? Ultimate Guide - Firewall rules are preconfigured, logical computing controls that give a firewall instructions for permitting and blocking network traffic. Network admins must configure firewall rules that protect their data and applications from threat actors. ...
10 months ago Esecurityplanet.com
New SEC Cybersecurity Reporting Rules Take Effect - In the press release announcing the new cybersecurity rules, SEC Chairman Gary Gensler said,. Whether a company loses a factory in a fire - or millions of files in a cybersecurity incident - it may be material to investors. Currently, many public ...
11 months ago Securityboulevard.com
What Do CISOs Have to Do to Meet New SEC Regulations? - Ilona Cohen, Chief Legal and Policy Officer, HackerOne: It is never an easy time to be a chief information security officer, but the past few months have felt particularly challenging. The recent charges from the US Security and Exchange Commission ...
1 year ago Darkreading.com
Fortinet Contributes to World Economic Forum's Strategic Cybersecurity Talent Framework - Shining a light on the cybersecurity workforce challenge, the World Economic Forum recently published its Strategic Cybersecurity Talent Framework, which is intended to serve as a reference for public and private decision-makers concerned by the ...
7 months ago Feeds.fortinet.com
MeridianLink confirms cyberattack after ransomware gang claims to report company to SEC - Financial software company MeridianLink confirmed that it is dealing with a cyberattack after the hackers behind the incident took extraordinary measures to pressure the company into paying a ransom. MeridianLink, which reported more than $76 million ...
1 year ago Therecord.media
SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect - The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18. The SEC announced in late July that it had adopted new cybersecurity ...
1 year ago Securityweek.com
Understanding The Impact of The SEC's Cybersecurity Disclosure Regulations - Corporate security and compliance teams are scrambling to understand the implications of the U.S. Security and Exchange Commission's recently announced cybersecurity disclosure and reporting regulations. While the need to report 'material ...
1 year ago Cyberdefensemagazine.com
How to become a cybersecurity architect - Cybersecurity architects implement and maintain a comprehensive cybersecurity framework to protect their company's digital assets. The cybersecurity architect position is a fundamental role that all organizations need, said Lester Nichols, director ...
5 months ago Techtarget.com
What CISOs Should Exclude From SEC Cybersecurity Filings - As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more ...
1 year ago Darkreading.com
Cybersecurity Training for Business Leaders - This article explores the significance of cybersecurity training for business leaders and its crucial role in establishing a secure and resilient business environment. By examining the key components of effective training programs and the ...
10 months ago Securityzap.com
FBI Details How Companies Can Delay SEC Cyber Disclosures - The FBI is outlining how its agents will handle requests from publicly traded companies that want to delay having to disclose a cybersecurity incident under the new controversial Securities and Exchange Commission rules that take effect next week. ...
1 year ago Securityboulevard.com
Cybersecurity Curriculum Development Tips for Schools - With the constant threat of cyber attacks, schools must prioritize the development of a robust cybersecurity curriculum to equip students with the necessary skills and knowledge. This article provides valuable insights and tips for schools aiming to ...
11 months ago Securityzap.com
SEC Cyber Incident Reporting Rules Pressure IT Security Leaders - As the Security and Exchange Commission gets tough on businesses' cybersecurity posture, IT security leaders will need to beef up incident response plans-a notable challenge for organizations currently lacking in this area. The rules also require ...
11 months ago Securityboulevard.com
Student Cybersecurity Clubs: Fostering Online Safety - Student cybersecurity clubs are playing a crucial role in promoting online safety among students. Student cybersecurity clubs play a vital role in this regard, as they provide a platform for students to learn about the latest threats, share best ...
11 months ago Securityzap.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
2 months ago Cyberdefensemagazine.com
The Importance of Cybersecurity Education in Schools - Cybersecurity education equips students with the knowledge and skills needed to protect themselves and others from cyber threats. Cybersecurity education can teach students about the impact of cyberbullying, how to prevent it, and how to respond ...
1 year ago Securityzap.com
Beyond Mere Compliance - Too often we continue to see executives whose approach to cybersecurity - compliance rather than protection - is strikingly similar to that of the ill-advised business owner whose minimal fire protection is designed only to meet the building code. ...
11 months ago Cyberdefensemagazine.com
SEC to require financial firms to have data breach incident plans - The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. The rules - pushed through as ...
7 months ago Therecord.media
SEC to require financial firms to have data breach incident plans - The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. The rules - pushed through as ...
7 months ago Therecord.media
Tell the FCC It Must Clarify Its Rules to Prevent Loopholes That Will Swallow Net Neutrality Whole - The Federal Communications Commission has released draft rules to reinstate net neutrality, with a vote on adopting the rules to come on the 25th of April. The FCC needs to close some loopholes in the draft rules before then. Net neutrality is the ...
8 months ago Eff.org
Q&A: How One Company Gauges Its Employees' Cybersecurity 'Fluency' - Professional services firm TAG.Global now requires that all of its employees complete a cybersecurity fluency assessment test as a way to raise awareness on threats and to reinforce responsibility for information security among its users. Talhouni ...
11 months ago Darkreading.com
What the cybersecurity workforce can expect in 2024 - For cybersecurity professionals, 2023 was a mixed bag of opportunities and concerns. The good news is that the number of people in cybersecurity jobs has reached its highest number ever: 5.5 million, according to the 2023 ISC2 Global Workforce Study. ...
11 months ago Securityintelligence.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)