Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines

We Keep you Connected

Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines

Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines
Your email has been sent
Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules.
The U.S. Securities and Exchange Commission’s new rules around disclosure of cybersecurity incidents go into effect on Dec. 15 for public companies with fiscal years starting on or after that date.
Publicly traded companies must annually report their processes for spotting, judging and mitigating cybersecurity threats. They are also to report the possible material effects of such threats, the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling cybersecurity threats.
In addition to the annual reports, starting on Dec. 18, all publicly traded companies must disclose material cybersecurity incidents to the SEC within four days if the incident is determined to be material. The disclosure must be made as Item 1.05 on SEC Form 8-K.
Jump to:
CISOs, CFOs and other business leaders can prepare for these rules going into effect by drafting new disclosures well before the end of the fiscal year so that all relevant employees have the chance to review them. IT, information security, legal, SEC reporting teams and external advisors should all be involved in creating and evaluating disclosure controls and procedures.
Many companies are already in the process of conducting readiness assessments, said Naj Adib, principal of cyber and strategic risk at Deloitte, in a phone interview with TechRepublic. Public companies are already used to filling out 8-K and 10-K disclosures for major events or new shares of stock, respectively. Now, those organizations are asking what they need to alter or enhance about their disclosure procedures, incident response and existing cyber capabilities.
SEE: Apple recommends users update their OS against two security vulnerabilities. (TechRepublic) 
“Ultimately what’s changing is the orchestration between cyber and IT and the disclosure committee and the folks that do the disclosure,” Adib said.
The new rules add on to standard incident response processes. Now, “We need to take the results of those processes and escalate to a group of individuals that would be responsible for determining materiality,” Adib said. “That could be anybody on the disclosure committee, people that are part of legal counsel and the office of the corporate secretary, depending on the organization.”
Determining whether an incident is material can be difficult, and the SEC doesn’t provide an exact definition. A material incident in securities law is generally considered an incident in which “there is a substantial likelihood that a reasonable shareholder would consider it important,” according to three legal cases cited by the SEC.
When determining whether an incident is material, disclosure committees should look at whether the organization is at risk of financial loss, a tarnished reputation, significant downtime or a loss of public confidence, Deloitte said.
In order to make the process smooth, people, process and technology all need to be aligned, Adib said. Organizations need to build processes to get people from different stakeholder groups – cyber, IT, finance, legal – together on a disclosure committee to discuss a potential incident. Those people will need to make a professional judgment call about whether the incident is material.
The technology used to determine materiality will be different depending on the organization, but will generally include:
“You have to have these platforms, tools, processes and capabilities in play in order to be able to identify that there’s a cyber incident and then take it up the chain to make a materiality determination,” Adib said. “But as we know, tools are only as good as the people that deploy them.”
In the event of an incident being considered for materiality, Adib said organizations need to be sure they consider:
In Deloitte’s plans for determining materiality based on the SEC guidance, they use a taxonomy including various risk domains: financial, operational, reputational, regulatory, extended enterprise (third parties, vendors and customers), strategic, technological and talent (health and safety), Adib said.
The purpose of the rules is to inform investors of the incident’s possible impact to “benefit investors, companies and the markets connecting them,” said SEC Chair Gary Gensler in a press release posted on July 26, 2023.
On Aug. 2, 2022, Deloitte ran a poll of more than 1,300 C-suite and other executives in publicly traded organizations and found that 64.8% planned to strengthen their cybersecurity efforts in response to the SEC’s new rules. And, more than half (54.1%) of the executives surveyed said they would push third parties to improve their cyber programs in response to the SEC’s new rules. The poll was held during a webinar about the SEC’s new requirements.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
The purpose of the Incident Reporting and Response Procedures Policy from TechRepublic Premium is to establish a clear and efficient process for employees to report security breaches, device loss, or data exposure incidents involving personal devices used for work purposes. From the policy: CONFIDENTIAL REPORTING Employees are strongly encouraged to promptly report incidents, and they …
Cryptocurrency is a popular technological worldwide trend. As with any investing avenue, the revenue one can make dealing in cryptocurrency can vary depending on the time put into the endeavors, market fluctuation, choice of investments, available capital, how loss averse you are, your short- and long-term strategies and other traditional investment factors. Be forewarned, scams …
Artificial general intelligence, or AGI, is a hypothetical form of AI designed to perform human-level cognitive functions, such as the capacity to self-teach. AGI is regarded as very powerful since it can autonomously solve a wide variety of cognitive tasks, as opposed to weak or narrow AI systems that carry out only particular or specialized …
Moving well-beyond its cryptocurrency roots, blockchain technology has quickly become a sought-after component of application development in the modern business enterprise. Recruiting candidates with advanced software engineering experience and at least some familiarity with applied blockchain technology will take time and effort. This hiring kit from TechRepublic Premium provides a workable framework you can use …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE