The Securities and Exchange Commission (SEC) has introduced a new rule for public companies that requires them to be more transparent about cybersecurity incidents. The new rule requires companies to disclose any material cybersecurity incidents within four business days of that determination. The disclosure should describe the material aspects of the incident, including the nature of the incident, the impact on the company, and the company's response.
The SEC's proposed rules include written cybersecurity policies and procedures, IT risk assessments, user security, and access controls, threat and vulnerability management, incident response and recovery plans, board oversight, recordkeeping, and cybersecurity incident reporting and disclosures.
To help CISOs incorporate this requirement seamlessly into their existing incident response plan, here are some actionable tips:
Revisit your incident response plan: An incident response plan is a structured approach that outlines the steps you'll take during a security breach or other unexpected event. Your business may be unprepared for a security incident without a response plan. An effective plan helps you identify and contain threats quickly, protect sensitive information, minimize downtime, and lessen the financial impact of an attack or other unexpected event.
Update the notification procedure and proactive planning for notification: Craft a well-defined notification procedure outlining the steps to comply with the SEC's requirement. Assign roles and responsibilities for crafting, approving, and forwarding notifications to relevant parties. Develop communication templates with pre-approved content, leaving room for incident-specific details to be filled in during a crisis.
Material incident identification and impact: Define the criteria for determining materiality, including financial, reputational, and operational implications. This step is critical in meeting the tight four-day reporting deadline.
Data protection and disclosure balance: Develop protocols to protect confidential information during public disclosures and collaborate closely with legal counsel to ensure compliance with disclosure regulations.
Regular plan reviews and third-party assessments: Regularly update your incident response plan to stay abreast of evolving threats and compliance requirements. Engage external cybersecurity experts to conduct thorough assessments, identifying gaps and potential vulnerabilities that need immediate attention.
Conduct tabletop exercises: Organize tabletop exercises that simulate real-world cybersecurity incidents. Ensure these exercises involve the business aspect, focusing on decision-making, communications, and incident impact assessment. These drills will sharpen your team's skills and enhance preparedness for the new 4-day deadline.
Foster a culture of cybersecurity awareness: Cultivate a company-wide culture that prioritizes cybersecurity awareness and incident reporting. Encourage employees to report potential threats promptly, empowering your team to respond swiftly to mitigate risks.
To determine your readiness posture, ask yourself the following questions:
Incident reporting and management questions
- What is your process for reporting cybersecurity incidents?
- How can you effectively determine the materiality of a breach or attack?
- Are your processes for determining materiality thoroughly documented?
- Have you determined the right level of information to disclose?
- Can you report within four days?
- How will you comply with the requirement to report related occurrences that qualify as "material"?
Incident management policies and procedures
- Are your organization's policies and procedures, risk assessments, controls, and controls monitoring strong enough to disclose publicly?
- Are your policies and procedures aligned with the specifications in at least one recognized industry framework? Are they updated regularly? Does everyone in the organization know what they are and how they are responsible for following them? Are they well-enforced?
Governance and risk management
- Is your risk assessment robust, and is it applied throughout the organization, focusing on top risks to the business?
- How often do you do risk assessments? Are assessment results incorporated into your enterprise cyber strategy, risk management program, and capital allocations?
- Have you engaged a third party to assess your cybersecurity program?
Board and leadership awareness
- How does your organization monitor the effectiveness of its risk mitigation activities and controls? How mature are your capabilities, as evaluated against an industry framework?
- How are leadership and the board informed about the effectiveness of these controls?
- Are your C-level executives getting the information needed to oversee cybersecurity at the board level?
Conclusion
In conclusion, the new SEC rule for public companies and cybersecurity incidents requires companies to be more transparent about material cybersecurity incidents. To comply with this requirement, companies should revisit their incident response plan, update their notification procedure, conduct material incident identification and impact assessments, develop protocols for data protection and disclosure balance, conduct regular plan reviews and third-party assessments, conduct tabletop exercises, and foster a culture of cybersecurity awareness. By asking the right questions and taking the necessary steps, companies can ensure they are ready to comply with the SEC's new cybersecurity incident disclosure rule.