While applicable only to public companies, all businesses would be wise to familiarize themselves with these new SEC cybersecurity disclosure rules.
What are the new SEC cybersecurity disclosure requirements?
The new SEC rules require public companies to disclose 'material' cybersecurity incidents within four business days. This includes detailing the nature, scope, timing, and potential impact of the incident, as well as outlining processes for managing cybersecurity risks and the oversight role of the board of directors.
How should companies determine if an incident is 'material'?
Determining materiality involves evaluating whether a reasonable investor would find the incident significant for making investment decisions. Companies should consider the sensitivity of the data involved, the type and scope of the incident, and any potential business impacts, including reputational damage and costs.
What steps can enterprises take to comply with the new rules?
Enterprises should update their incident response plans to clarify disclosure responsibilities and ensure timely communication with leadership. They should also conduct risk assessments to implement appropriate controls, perform tabletop exercises to practice response procedures, and establish clear policies for determining materiality.
Sign in with LinkedIn