Without clear guidance, SEC’s new rule on incident reporting may be detrimental

2024-01-22 06:00

The SEC has instituted a set of guidelines "Requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance." These new guidelines went into effect on December 18, 2023, which means 2024 will be an important year for enterprises and how they adhere to current security regulations.

Establishing a reporting infrastructure that sheds light on what, how, and when security incidents are disclosed is important for the industry at large and is a huge step toward having cybersecurity seen as a business-wide issue.

The challenge with these new guidelines arises from the SEC's directive that mandates registrants disclose any cybersecurity incident deemed materially significant, detailing, " the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.

Investors relying on a company's 8-K filings for insights into the impact of a cyber incident might consequently overlook critical details amid the information overload. To counter this, the SEC needs to engage in proactive dialogues to clarify disclosure requirements, particularly regarding the frequency and extent of details needed.

Companies will have four business days to disclose an incident determined to be material, unless immediate disclosure poses a risk to national security or public safety.

There is an ongoing process to define what makes a cybersecurity incident "Material" and to establish better baselines for a "Minimally viable" security posture.

News URL

https://www.helpnetsecurity.com/2024/01/22/cybersecurity-incidents-sec-guidelines/

#incident #SEC