SEC Proposes rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies 

In early 2022 the US Securities and Exchange Commission (SEC) proposed significant amendments to the information security requirements for publicly traded companies.  If these proposed changes are formalized into law, companies will be required to make periodic disclosures, including updates on previously reported material cybersecurity incidents, company policies and procedures to identify and manage cybersecurity risks, management’s role in implementing these policies, and the board of directors’ cybersecurity expertise and risk oversight activities.  

The proposed changes would require companies to file Form 8-K disclosure updates for reporting any material cyber incident within four business days of their occurrence.  A “material” incident is defined as anything that could potentially impact an individual’s decision to buy, hold, or sell a company’s stock. 

When a material incident is discovered, the company would be required to report, to the extent known:

  • When the incident was discovered and whether it remained ongoing
  • A brief description of the incident
  • Whether data was taken, changed, accessed, or used for any unauthorized purpose
  • How the incident affected the company’s operations
  • Whether the company had remediated, or was in the process of remediating, the incident. 

All in all, under the new rules, companies and their senior leadership will be held to a higher standard. They will be required to maintain reasonable cybersecurity policies and procedures, explain how senior leadership and the BOD provide oversight, and report incidents in a way that provides appropriate information to shareholders.

 

Our team at MAKINSIGHTS is closely following the proposed changes and analyzing the potential impacts on our clients.

Our view is that SEC’s final ruling would need to strike a balance between providing investors with the information they need to know to make informed investment decisions while also minimizing the potential risks of disclosure leading to harm.   Additionally, it is clear that the SEC expects the BOD and Senior Management to provide strong oversight and enact measures to ensure that oversight is meaningful.

One key client concern is how the proposed regulations could affect incident response efforts, specifically during the containment and remediation stages. Additionally, there is worry that the public disclosure of incident information could be utilized by malicious actors to potentially cause additional harm. 

Net/Net, it is important for companies to review and prepare for the potential impact of these proposed changes as according to recent reports, the SEC has announced plans to publish a final ruling on the proposed amendments in April 2023. [Update: The SEC has delayed the announcement of the final rule until at least October of 2023. While there are several industry groups that have voiced support, it appears that the American Chamber of Commerce, with its strong lobbying body in support of American businesses, has identified some issues with the implementation of the rule that the SEC is re-evaluating.]

 

How MAKINSIGHTS can help

It is crucial for Information Security & Risk Management leaders to evaluate their company’s cybersecurity governance approach: policies, processes, and procedures, as well as the way in which key roles such as the board of directors and senior management work together via committees to realize such strategies.  It is also clear that business continuity, contingency, and recovery plans should dove tail with Incident Management and regulatory oversight.

Companies should assess the expertise they have in place for identifying and managing cybersecurity risks and implementing cybersecurity policies and procedures. Furthermore, directors serving publicly traded companies should review how the board organizes its oversight of cybersecurity risk and engages with senior management to ultimately enact strategy. These evaluations should be conducted on a regular basis, regardless of the SEC’s final decision, as the cyber threat landscape is constantly changing, and attacks are becoming more sophisticated and relentless.

Our information security health check service offers a detailed evaluation of your current cyber security posture, providing valuable insights and recommendations to help you address industry standards, leading practices, and the recently proposed SEC cybersecurity guidance while also embracing components of the National Association of Corporate Directors instruction on the role of the Board of Directors. Our assessments are based on widely adopted frameworks such as NIST CSF and ISO 27000, giving you the peace of mind that your organization’s security measures are in line with the latest industry standards.

Additionally, as part of our service, we will conduct a thorough assessment of your organization’s cyber security maturity level. This will enable you to identify key areas for improvement, prioritize your distinct efforts, and develop a comprehensive plan for the future. This analysis will give you a clear understanding of your organization’s strengths and weaknesses, helping you to make informed decisions and allocate resources effectively.

Our team of experts can assist your organization in understanding the proposed SEC changes and implement effective strategies to comply with the upcoming new requirements. Please feel welcome to book a consultation with us via:  ideas@makinsights.com or through calendly [ https://www. calendly.com/create-insights ].

 

What is PTaas and How Does it Work?
PTaaS (Penetration Testing as a Service) is an on-demand service that enables organizations to undertake security testing when they need it. Unlike traditional penetration testing, PTaaS identifies, prioritizes and manages security vulnerabilities from a single pane. This results in a...
Read more
Unlocking the Power of PTaaS: A Deep Dive into the Future of Cloud Computing
The correlation between the rise of online businesses and cyber-attacks is no coincidence. With nearly 1 cyber-attack happening every 39 seconds, every business is at risk. Unfortunately, many of them are underprepared because traditional penetration testing is costly, lengthy and complicated.
Read more
Understanding the Security Risks of Using CHATGPT at Work
As organizations increasingly turn to artificial intelligence (AI) technologies like CHATGPT to streamline and automate business processes, they also face new and complex security risks. While these technologies have the potential to revolutionize how we work, they can also expose companies to a range of threats and vulnerabilities.
Read more
Previous
Next

Leave a Comment

Your email address will not be published. Required fields are marked *