The Securities and Exchange Commission (SEC) has ruled that public companies are now required to disclose “material” cybersecurity breaches within four days after a determination that an incident was material, according to Scott Kannry, CEO and Co-Founder, Axio.
“Companies will need to take the right steps to be prepared ahead of time,” he said.
To effectively comply, CEOs and Boards of Directors will need to finally understand cybersecurity risk and, therefore, provide the same oversight and governance they offer to all other types of material enterprise risks, Kannry said.
In order to minimize their risk, security leaders must quickly model the potential impact (or lack thereof) of new and evolving threats within their own organization and more effectively determine if any mitigating actions should be taken, he said.
All key enterprise constituents need to have a better understanding of how cybersecurity events can impact the business and become more effective at minimizing impact – and acting quickly – if an event should occur, he added.
“All these outcomes differ starkly from the prevailing norm, where governance is lacking, resources are misaligned, and enterprises fly blind to their most critical cybersecurity risks, putting the company and shareholders on uncertain ground,” commented Kannry.
By properly preparing, enterprises will not only be able to disclose breaches within the required timeline, but they and their shareholders will also have an understanding of their cybersecurity risk from a financial impact perspective for better prioritization and decision-making, he said.
Kannry told Traders Magazine that if broker dealers or investment banks are publicly traded, then the rules would apply to them too.
“Otherwise, they are not required to disclose. However, they may be impacted by the rules as companies they might invest in or trade would fall under the rules,” he noted.
According to the SEC, the new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
According to the SEC, item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
George Gerchow, IANS Faculty and CSO and SVP of IT, Sumo Logic, said that this ruling is a great step towards achieving accountability, to protect the consumers and the investor community.
“The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days,” he said.
He noted that this ruling doesn’t require the reporting of technical details, but in the event of a breach, “it will inevitably come down to tech at some point—and no company is prepared for that”.
According to Gerchow, companies will have to address these technical details and likely revise how they discover potential vulnerabilities and breaches; the company’s reporting mechanism; and who is on their board.
“Having cybersecurity presence on board is critical, and it’s time for CISOs to begin preparing themselves for board positions—and for companies to position qualified CISOs on their boards,” he said.
