Keeping up with federal regulations is an inevitable part of cybersecurity. While new rules aim to protect business, they also require more work. The U.S. Securities and Exchange Commission (SEC) recently proposed new rules that public companies will need to know. These standardize event reporting and require periodic reporting about cybersecurity policies and procedures. What do they say? How will they affect your business?

According to the SEC, the new changes are intended “to better inform investors about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents.”

Previous guidance had stressed the importance of reporting incidents but did not have a specific timeline or annual reporting requirements. The proposal also mandates disclosures to be presented in Inline eXtensible Business Reporting Language (‘Inline XBRL’). Organizations and financial institutions can submit comments on the proposed changes until May 9, 2022.

Required Reporting Within Four Business Days

According to the SEC proposal, “we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise if any, and its oversight of cybersecurity risk.”

Take note: if passed, companies must report within four business days of determining a material event has occurred. However, a determination is different than the date of discovery. The proposal states that reporting cannot be delayed while the company is conducting internal investigations. Plus, the proposal includes non-inclusive examples of material events, such as:

  • An unauthorized incident that has compromised the confidentiality, integrity or availability of an information asset (data, system or network); or violated the registrant’s security policies or procedures
  • An unauthorized incident that caused degradation, interruption, loss of control, damage to or loss of operational technology systems
  • An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property or information that has resulted, or may result, in a loss or liability for the registrant.

The proposal goes on to say that “Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports.” By requiring follow-up, the SEC is showing that it requires organizations to ‘clean up’ after an event.

Annual Reporting of Cybersecurity Risk Management

The proposed updates also require annual reporting that provides specific details on preparations and strategies. The three areas of reporting are:

  • Cybersecurity Risk Management & Strategy – the policies and procedures in place to identify and manage cybersecurity risks and threats
  • Governance – the role and responsibility for cybersecurity governance of the board of directors and management levels
  • Board Cybersecurity Expertise – the level of cybersecurity expertise among its board members

While the SEC has provided rules and guidance in this area before, especially in terms of disclosing incidents, the proposed mandates will likely require changes in process if passed. The four-day reporting period in particular will have a meaningful impact on business. Organizations should pay careful attention to the progress of this mandate. Take a look at the internal changes you might need in order to meet these proposed requirements.

More from News

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read