The U.S. Securities and Exchange Commission’s new rules around disclosure of cybersecurity incidents go into effect on Dec. 15 for public companies with fiscal years starting on or after that date.
Now, those organizations are asking what they need to alter or enhance about their disclosure procedures, incident response and existing cyber capabilities.
“Ultimately what’s changing is the orchestration between cyber and IT and the disclosure committee and the folks that do the disclosure,” Adib said.
A material incident in securities law is generally considered an incident in which “There is a substantial likelihood that a reasonable shareholder would consider it important,” according to three legal cases cited by the SEC. Must-read security coverage Best SIEM Tools and Software for 2023 Atlas VPN Review: Features, Pricing, Alternatives Australia, New Zealand Enterprises Spend Big on Security – But Will It Be Enough? Quick Glossary: Cybersecurity Attacks.
Organizations need to build processes to get people from different stakeholder groups – cyber, IT, finance, legal – together on a disclosure committee to discuss a potential incident.
The purpose of the rules is to inform investors of the incident’s possible impact to “Benefit investors, companies and the markets connecting them,” said SEC Chair Gary Gensler in a press release posted on July 26, 2023.