Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The latest rules proposed by the SEC cover a wide range of topics—from cybersecurity to environmental, social and governance—that will affect how public companies operate. The proposed changes and new areas of risk will reshape the cybersecurity
function, with heightened expectations around incident disclosure and response, board-level involvement and supply chain scrutiny.
In this piece, we’re highlighting the proposed four most critical new SEC rules likely to have the greatest impact on CISO’s and organizations going forward. Note that the SEC rules proposed below are subject to change when the final guidance
‘Material’ “cybersecurity incident,” as defined by the SEC means any incident that jeopardizes the confidentiality, integrity or availability of a registrant's information systems or any information residing therein. This will
most likely include accidental exposure of data or inadvertent data sharing. Reporting requirements include:
The SEC’s proposed rule does not require public companies to file a separate Form 8-K for such updates; rather, this information would be disclosed in the next filed quarterly or annual report.
If a public company discovers that a series of previously undisclosed, immaterial cybersecurity incidents have become material in the aggregate, it must disclose such incidents in its next filed periodic report.
This rule stipulates that companies must disclose:
These upcoming rules create significant litigation and strategic risks. We see the biggest risk in the cybersecurity incident disclosure obligation, which requires public companies to disclose specific details concerning a cybersecurity incident, including
the scope of the incident, data accessed or stolen, and impact on company operations.
By requiring this disclosure four days after determination of a material cybersecurity incident, the Form 8-K filing could precede data breach notices to state attorneys general, as well as potentially impacted individuals and business partners.
Providing such details prior to the completion of forensic investigation and data-mining efforts is likely to expose companies to litigation before they have a full picture of the impact of the cybersecurity incident. It could also potentially undermine
attorney-client and work product privilege associated with investigating the cybersecurity incident. CISOs together with their Boards need to ramp up their reporting capabilities now and shore up their cybersecurity posture.
As the SEC finalizes the upcoming Cyber Disclosure Rules, IANS will provide clients with updated guidance through our new SEC Resource Center. The Resource Center serves as a centralized hub for resources, FAQs, updates, discussion and guidance
to help clients navigate this new regulatory landscape.
Not an IANS client? Get in touch to learn more about how we can help you and your security team navigate through the upcoming regulatory changes and much more.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.