While applicable only to public companies, all businesses would be wise to familiarize themselves with these new SEC cybersecurity disclosure rules.
What are the new SEC cybersecurity disclosure rules?
The new SEC rules require public companies to disclose 'material' cybersecurity incidents within four business days. This includes detailing the nature, scope, timing, and potential impact of the incident, as well as outlining processes for managing cybersecurity risks and the board's oversight of these risks.
How should companies determine if an incident is 'material'?
Determining materiality involves assessing whether a reasonable shareholder would find the incident significant for investment decisions. Companies should consider factors like disruption to critical operations, unauthorized access to sensitive information, and the potential for reputational damage. It's important to have a clear policy in place for making these determinations.
What steps can companies take to prepare for compliance?
Companies should review and update their incident response plans, establish clear communication channels for timely notifications, and conduct tabletop exercises to practice response procedures. Additionally, they should assess their cybersecurity posture, ensuring that security policies are current and effective, and implement controls based on risk assessments.
.png "Adirondack Online Services"){kind=logo}
Sign in with LinkedIn