close
close
hsuses

How to create a security culture that complies with the new SEC regulations

Theo

The rapid development of AI technologies has made hackers much more successful, and they are now using these advanced tools to attack vulnerable organizations. As cybersecurity threats continue to evolve, public companies must prepare to effectively disclose and manage these incidents. The SEC’s recent statement on disclosure of material cybersecurity incidents is an important step toward improving transparency and investor confidence.

The SEC’s May 21 statement clarified the disclosure requirements for publicly traded companies related to cybersecurity incidents, clarifying a rule set finalized in July 2023 that requires companies to disclose material cybersecurity incidents within four business days. This requirement ensures that investors are informed of significant cybersecurity events that could impact a company’s financial health and operational stability. However, the SEC also encourages voluntary disclosure of “non-material” incidents under Item 8.01, which can provide valuable context without causing investor confusion.

Companies need to understand why distinguishing between material and non-material incidents will be critical for businesses. This underscores and highlights the importance of robust cybersecurity measures and incident response plans. Going forward, companies will need to quickly assess the materiality of an incident and meet disclosure requirements. They will also need to consider the financial impact, reputational risk and the likelihood of ongoing attacks.

As investors gain visibility into these incidents, companies must invest in stronger cybersecurity measures to mitigate risks and reassure stakeholders. This may require investing in advanced security tools, conducting regular risk assessments, and fostering a culture of security awareness.

Here are five steps companies can take to comply with SEC disclosure rules and establish a much-needed cybersecurity culture and strategy:

  • Develop a comprehensive incident response plan: Prepare the team for future incidents with a comprehensive incident response plan. This should include protocols for assessing the materiality of cybersecurity incidents and the disclosure process. Consider factors such as financial impact, scope of the breach (exposure of confidential data), reputational risk, potential for ongoing attacks, and impact on business operations. Once the company has developed a plan, make sure teams across the organization—IT, security, legal, communications, and public relations—are aware of their roles in the process and how to work together.
  • Invest in advanced cybersecurity tools and technologies: The use of AI/ML can significantly improve an organization’s ability to detect and respond to threats more effectively. AI-driven tools can analyze massive amounts of data in real time and identify patterns and anomalies that may indicate a security breach.
  • Conduct regular training: Regularly training employees on cybersecurity best practices helps the organization maintain a robust security posture. Training should cover a wide range of topics, including common categories of cyberattacks and the latest cybersecurity paradigms such as zero-trust architectures. It is critical that employees understand the importance of prompt incident reporting, as timely detection and response can significantly mitigate potential damage.
  • Collaborate with legal and compliance teams: Work closely with legal and compliance teams to ensure that all disclosures comply with SEC requirements and are made in a timely manner. These teams can provide important guidance on the regulatory environment, help interpret complex regulations, and ensure that disclosures are accurate and comprehensive.
  • Review and update cyber policies: Regularly review and update cybersecurity policies to reflect the latest regulatory requirements and threat landscapes. This will keep the team’s security posture current and compliant and identify any gaps or vulnerabilities.

The SEC’s new statement on cybersecurity incident disclosure is a critical development for companies and investors. By adhering to these guidelines and improving their cybersecurity frameworks, companies can meet regulatory requirements and build greater trust with their stakeholders.

Pukar Hamal, Founder and CEO, SecurityPal

Related Posts