Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The latest rules proposed by the SEC cover a wide range of topics—from cybersecurity to environmental, social and governance—that will affect how public companies operate. The proposed changes and new areas of risk will reshape the cybersecurity
function, with heightened expectations around incident disclosure and response, board-level involvement and supply chain scrutiny.
In this piece, we’re highlighting the proposed four most critical new SEC rules likely to have the greatest impact on CISO’s and organizations going forward. Note that the SEC rules proposed below are subject to change when the final guidance
‘Material’ “cybersecurity incident,” as defined by the SEC means any incident that jeopardizes the confidentiality, integrity or availability of a registrant's information systems or any information residing therein. This will
most likely include accidental exposure of data or inadvertent data sharing. Reporting requirements include:
The SEC’s proposed rule does not require public companies to file a separate Form 8-K for such updates; rather, this information would be disclosed in the next filed quarterly or annual report.
If a public company discovers that a series of previously undisclosed, immaterial cybersecurity incidents have become material in the aggregate, it must disclose such incidents in its next filed periodic report.
This rule stipulates that companies must disclose:
These upcoming rules create significant litigation and strategic risks. We see the biggest risk in the cybersecurity incident disclosure obligation, which requires public companies to disclose specific details concerning a cybersecurity incident, including
the scope of the incident, data accessed or stolen, and impact on company operations.
By requiring this disclosure four days after determination of a material cybersecurity incident, the Form 8-K filing could precede data breach notices to state attorneys general, as well as potentially impacted individuals and business partners.
Providing such details prior to the completion of forensic investigation and data-mining efforts is likely to expose companies to litigation before they have a full picture of the impact of the cybersecurity incident. It could also potentially undermine
attorney-client and work product privilege associated with investigating the cybersecurity incident. CISOs together with their Boards need to ramp up their reporting capabilities now and shore up their cybersecurity posture.
As the SEC finalizes the upcoming Cyber Disclosure Rules, IANS will provide clients with updated guidance through our new SEC Resource Center. The Resource Center serves as a centralized hub for resources, FAQs, updates, discussion and guidance
to help clients navigate this new regulatory landscape.
Not an IANS client? Get in touch to learn more about how we can help you and your security team navigate through the upcoming regulatory changes and much more.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.