The Securities and Exchange Commission (SEC) has proposed changes to its rules to enhance and standardize public companies’ disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting.
The proposed changes would amend Form 8-K, requiring public companies to disclose information about a “material cybersecurity incident” within four business days after the company determines it has experienced a cybersecurity incident, including a data breach, ransomware attack, etc.
Among other things, the proposed amendments would require:
- Current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.
- Periodic reporting about a public company’s policies and procedures to identify and manage cybersecurity risks,
- The registrant’s board of director’s oversight of cybersecurity risks,
- Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures,
- Further annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise (if any).
All proposed changes are intended to better inform investors about a public company’s risk management, strategy and governance, as well as to provide timely notification to investors of material cybersecurity incidents.
If adopted, the changes would strengthen investors’ ability to assess public companies’ cybersecurity practices and incident reporting, SEC Chair Gary Gensler says.
The SEC’s proposals reinforce the importance of being “incident response ready,” and not just having a plan, but a solid backup and recovery strategy that includes “ransomware mitigation, enforcing strong identity and access security controls, and ensuring auditing and compliance best practices are prioritized,” says Joseph Carson, Chief Security Scientist and Advisory Chief Information Security Officer (CISO) at Delinea.
However, Carson notes that the proposals appear to treat data breaches and cybersecurity incidents equally. “[It’s] a big surprise,” Carson says, as the impact and severity of data breaches and cybersecurity incidents can vary significantly depending on the scale and type of data impacted.
In addition, Carson says organizations will need to step up their incident response plans to be incident response ready. “Even after four days of discovering a data breach, many are still trying to identify the impact. Reporting an incident at the same time will require quick incident response capabilities,” he explains.