Understanding SEC Cybersecurity Disclosure Rules

The Securities and Exchange Commission (SEC) decided to establish new cybersecurity regulations and standards for risk management in July 2023, which would apply to all market organizations. New guidelines for Form 10-K Amendments and revised procedures for Form 8-K reporting were among the rules that were enacted.

Public firms are now obligated to notify data breaches within four days of an event under the law pertaining to Form 8-K reporting. All incident reports must include five documented questions and answers, with detailed replies that allow a “reasonable investor” to understand the extent of the data breach. According to the new standards, all Form 8-K incident reports must include the following questions:

• When the event was detected and whether it’s still happening.
• An overview of the incident’s nature and extent in brief.
• If any information was taken, changed, accessed, or used in any other way without authorization.
• the incident’s impact on the registrant’s business activities.
• If the issue has been remedied by the registrant or if remediation is still ongoing.

All parties engaged with the firm will be able to have more accessible talks about cybersecurity threats if needed inquiries are answered in a way that steers clear of too technical information.

Cybersecurity Risk Management Guidelines and Practices

The new SEC regulation mandates that Form 10-K Amendments include particular cybersecurity policies and procedures in addition to revisions to Form 8-K reporting. To encourage involvement from the board of directors and the C-suite, the cybersecurity policies and procedures mentioned in Form 10-K should be as clear as feasible. The cybersecurity provision that has been introduced to Form 10-K is significant because it will clarify the regulations governing a company’s cybersecurity procedures.

Cybersecurity breaches have become one of the largest threats facing businesses across all sectors and verticals in the past ten years. According to the Cost of a Data Breach Report 2023, the average cost of a breach actually increased by 15.3% from 2020 to a new high of USD 4.45 million. The SEC created the new rules with the intention of unifying cybersecurity risk management and incident reporting disclosures as they spread throughout all firms’ common practices and discussions.

Advice on creating a culture that is risk-aware

In light of the recent SEC requirements, businesses need to ensure they have a complete incident response procedure in place. Maintaining a company’s security is not just the responsibility of the IT, security, and chief information security officer (CISO). Every employee at a firm has to get training and be on the lookout for any possible hazards. To help ensure that SEC requirements are upheld, it is imperative that all workers understand when to report a possible infraction, regardless of how little. A corporation may stay secure by raising knowledge of cybersecurity dangers across all departments, as almost every team in a business handles data that could be compromised.

A top-tier security orchestration, automation, and response (SOAR) solution will enable an organization’s SOC to handle threat response more effectively and forcefully. By utilizing dynamic playbooks, automations for investigation and response, and timestamping important activities for reporting, legal, and compliance requirements, security teams may more effectively manage risk. In addition to helping companies prevent security issues, improved risk management may reassure investors that they have robust incident response procedures in place in case of a breach.

Clear insight into an incident is provided by QRadar SOAR, which facilitates compliance with the new SEC standards. Additionally, it provides a clear image of security incidents with a greater importance for the CISO to discuss with other leadership members. Additionally, by including privacy reporting responsibilities into your overall incident response playbooks, the QRadar SOAR Breach Response module assists enterprises in anticipating and responding to privacy breaches. It makes it easier for the legal, HR, and privacy departments to work together to satisfy the needs of more than 180 rules.

Organization executives should be encouraged by the new SEC standards to have regular discussions on security posture and incident response, rather than just when a security problem occurs. Engaging C-suite leadership and the board of directors in security talks is crucial for the CISO and other security and IT professionals, especially in light of the new four-day deadline for reporting breaches and the inclusion of incident response procedures in annual reports.

Include the appropriate tools now

The integration of appropriate tools, like SOAR, can help the CISO effectively communicate the company’s risk posture to the board of directors and C-suite leadership, creating a common language to start the conversation on this crucial subject. Including corporate executives in the discussion on a quarterly basis, rather than only after an issue has occurred, may assist direct funding and visibility to close significant gaps and avert future security disasters like data breaches. Today’s businesses face significant cybersecurity risks, but they may be mitigated if they follow regulatory guidelines, employ the appropriate automation technologies, and have regular discussions about cybersecurity risk with senior management.