The New disclosure rules on Cybersecurity related issues, disclosed by SEC, and what to expect from business operators is one tough decision that cannot be avoided.
SEC has issued compliance expectation which took effect from 05th September 2023, instructing business owners to regularly report their cybersecurity risk management strategies, board-level cybersecurity governance & oversight, and material cybersecurity incidents.
Although the incident reporting wouldn’t be effective immediately, it is expected from December-18th 2023, to be effective for larger cooperation and organizations, and 180 days after that of smaller businesses. It is no doubt that businesses are already in a state of panic, on how the new rules may affect their approach towards cybersecurity related matters.
A lot is expected due to issues regarding National Security. However, most businesses should be expecting a file notice from the SEC four days of ascertaining if the incident that occurred is a Hack (Cyber-attack), or security incident is “material” in nature.
Information from a Cybersecurity Policy Lawyer at Venable by the name Harley Geiger, shows the skepticism with regards to the new rules, and of the opinion that companies should be ready for the possibilities that will be needed to report a cyber-attack (Hack), to the government while still in the process of discovering the fundamental aspects of the cyber-attack.
Gieger in statement described:
“Because of the required timeline for disclosure, companies should be prepared to perform these assessments and disclosures even if the cybersecurity incident is ongoing.”
It is expected that public companies’ security, legal, and corporate communication teams to collaborate and adjust to incident response plans, financial reporting processes, in order to fit and accommodate these expected obligations.
The Significance of Materiality in the Context of Revealing Security Breaches:
Expectation with regards to disclosure, the significance of materiality and revealing of security breaches, is one of the important questions being asked by business owners, and how the SEC will define a covered incident.
The definition of Materiality in a broad term by SEC, references to something that could influence the decision-making of a potential investor. In a listed guidance outlined by the institution, which stated the terms, and defines the information as a probable judgement of a reasonable person, which relies upon the report haven been changed or influenced, inclusion or any form of correction of item.
This implies that incident at a public company which could reasonably result into a lawsuit or any form of regulatory inquiry, impact the vendors, customer relationships, or hinder the company’s reputation or competitiveness are within the jurisdiction of these requirement from SEC.
A faculty member of the IANS research by the name George Gerchow, shows some signs of worries about the new rule issued by SEC.
“There are still way too many unknowns at this time” when question about materiality.
In a statement curled from SC-Media George asked an important question:
“We are trying to understand what a ‘material incident’ means, but it’s still too ambiguous. Furthermore, there is very little guidance on how companies should handle third-party attacks. Supply chain attacks are on the rise and add another layer of complexity to reporting the full nature and scope of an incident. So, how are companies going to pull in third-parties and their team to handle an incident within such a short timeframe?”
Final regulations however, has been released by SEC indicating the term as security incident that have “materially affected or are reasonably likely to materially affect [a company’s] business strategy, results of operations, or financial condition.”
It is expected that companies must file disclosure annually, for 8-K documents, with the agency for specific security incident; detailing the following criteria such as: Nature, Scope, Timing, and Impact of the incident on their business operations or customers.
Essentially, George noted that unlike many other incident reporting rules, cyber attack (hacks) reported under the new SEC regulations will be disclosed to the public through EDGAR (Electronic Data Gathering, Analysis, and Retrieval System) for companies that are publicly traded.
“This may put companies in the position of publicly disclosing significant cyber incidents before the incident has been contained or mitigated, which may complicate companies’ recovery efforts and coordination with other federal agencies.”
Board Roles in Managing Risk and Cybersecurity:
SEC also has other security measures that would take effect from Tuesday, which includes the requirements for companies to describe its cybersecurity risk management strategies, its practical integration into an organizations larger business operation, different requirement in detailing the role of board of directors and management play, in overseeing cyber risk and what kind of background experience top executives have in cybersecurity.
An obligation which is expected from organizations, in hiring C-suite and other executive positions as business attempt to comply, that cybersecurity qualifications may become a bigger factor. This also may result in businesses attempting to claim or inflate their cybersecurity background and exposure of the candidates that they do hire.
There would be a lot of misconception about a business carries out his cybersecurity program and practice’s. The staff of the organization is also not left out in how they carry out their cybersecurity program, and the description by the executives who might not be on the lower level where the real incidence occur.
Please do let us know in the comment section what are your thoughts about this.