The Securities and Exchange Commission (SEC) has introduced a new rule for public companies that requires them to be more transparent about cybersecurity incidents. The new rule requires companies to disclose any material cybersecurity incidents within four business days of that determination. The disclosure should describe the material aspects of the incident, including the nature of the incident, the impact on the company, and the company’s response.
The SEC’s proposed rules include written cybersecurity policies and procedures, IT risk assessments, user security, and access controls, threat and vulnerability management, incident response and recovery plans, board oversight, recordkeeping, and cybersecurity incident reporting and disclosures.
To help CISOs incorporate this requirement seamlessly into their existing incident response plan, here are some actionable tips:
Revisit your incident response plan: An incident response plan is a structured approach that outlines the steps you’ll take during a security breach or other unexpected event. Your business may be unprepared for a security incident without a response plan. An effective plan helps you identify and contain threats quickly, protect sensitive information, minimize downtime, and lessen the financial impact of an attack or other unexpected event.
Update the notification procedure and proactive planning for notification: Craft a well-defined notification procedure outlining the steps to comply with the SEC’s requirement. Assign roles and responsibilities for crafting, approving, and forwarding notifications to relevant parties. Develop communication templates with pre-approved content, leaving room for incident-specific details to be filled in during a crisis.
Material incident identification and impact: Define the criteria for determining materiality, including financial, reputational, and operational implications. This step is critical in meeting the tight four-day reporting deadline.
Data protection and disclosure balance: Develop protocols to protect confidential information during public disclosures and collaborate closely with legal counsel to ensure compliance with disclosure regulations.
Regular plan reviews and third-party assessments: Regularly update your incident response plan to stay abreast of evolving threats and compliance requirements. Engage external cybersecurity experts to conduct thorough assessments, identifying gaps and potential vulnerabilities that need immediate attention.
Conduct tabletop exercises: Organize tabletop exercises that simulate real-world cybersecurity incidents. Ensure these exercises involve the business aspect, focusing on decision-making, communications, and incident impact assessment. These drills will sharpen your team’s skills and enhance preparedness for the new 4-day deadline.
Foster a culture of cybersecurity awareness: Cultivate a company-wide culture that prioritizes cybersecurity awareness and incident reporting. Encourage employees to report potential threats promptly, empowering your team to respond swiftly to mitigate risks.
To determine your readiness posture, ask yourself the following questions:
Incident reporting and management questions
What is your process for reporting cybersecurity incidents?
How can you effectively determine the materiality of a breach or attack?
Are your processes for determining materiality thoroughly documented?
Have you determined the right level of information to disclose?
Can you report within four days?
How will you comply with the requirement to report related occurrences that qualify as “material”?
Incident management policies and procedures
Are your organization’s policies and procedures, risk assessments, controls, and controls monitoring strong enough to disclose publicly?
Are your policies and procedures aligned with the specifications in at least one recognized industry framework? Are they updated regularly? Does everyone in the organization know what they are and how they are responsible for following them? Are they well-enforced?
Governance and risk management
Is your risk assessment robust, and is it applied throughout the organization, focusing on top risks to the business?
How often do you do risk assessments? Are assessment results incorporated into your enterprise cyber strategy, risk management program, and capital allocations?
Have you engaged a third party to assess your cybersecurity program?
Board and leadership awareness
How does your organization monitor the effectiveness of its risk mitigation activities and controls? How mature are your capabilities, as evaluated against an industry framework?
How are leadership and the board informed about the effectiveness of these controls?
Are your C-level executives getting the information needed to oversee cybersecurity at the board level?
Conclusion
In conclusion, the new SEC rule for public companies and cybersecurity incidents requires companies to be more transparent about material cybersecurity incidents. To comply with this requirement, companies should revisit their incident response plan, update their notification procedure, conduct material incident identification and impact assessments, develop protocols for data protection and disclosure balance, conduct regular plan reviews and third-party assessments, conduct tabletop exercises, and foster a culture of cybersecurity awareness. By asking the right questions and taking the necessary steps, companies can ensure they are ready to comply with the SEC’s new cybersecurity incident disclosure rule.
More Stories
Friday Squid Blogging: Cotton-and-Squid-Bone Sponge
News: A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in...
Apps That Are Spying on Your Location
404 Media is reporting on all the apps that are spying on your location, based on a hack of the...
Cybercriminals Use Fake CrowdStrike Job Offers to Distribute Cryptominer
CrowdStrike warned it had observed a phishing campaign impersonating the firm’s recruitment process to lure victims into downloading cryptominer Read...
Slovakia Hit by Historic Cyber-Attack on Land Registry
A large-scale cyber-attack has targeted the information system of Slovakia’s land registry, impacting the management of land and property records...
Canadian man loses a cryptocurrency fortune to scammers – here’s how you can stop it happening to you
A Canadian man lost a $100,000 cryptocurrency fortune - all because he did a careless Google search. Read more in...
Medusind Breach Exposes Sensitive Patient Data
The US medical billing firm is notifying over 360,000 customers that their personal, financial and medical data may have been...