The United States Securities and Exchange Commission’s (SEC) July 26 approval of new cybersecurity “incident” disclosure rules is top of mind for every public company, and understanding what it means and how companies will be held accountable is crucial. The rules were initially introduced in March 2022 but the Commission’s deliberation on disclosing cyber incidents began over ten years ago. Let’s dig into it.
The new rules, which will go into effect later this year, require that publicly-traded companies (or “registrants”) disclose a “material” cybersecurity incident within four business days of determining an incident was material. There is an exception to the reporting timeline, which allows for a delay if disclosing the incident could harm national security or public safety. However, only the United States Attorney General must grant such an exception.
What is most interesting is that registrants must disclose the impact of a material cybersecurity incident but are not required to disclose the technical details, such as the vulnerabilities exploited or the indicators of compromise.The rules will require the registrant to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
In addition to cyber incident disclosure requirements, the SEC also mandates that public companies periodically disclose information regarding their cybersecurity risk management, strategy, governance and risk factors.
The upshot of the new rule means that while companies do not have to disclose the technical details of an incident, they need two capabilities to respond and report on a timely basis:
- First, given time is of the essence — with a four-day window to report once a cybersecurity incident is deemed material — each company must be able to rapidly gather and analyze telemetry from various tools and sources to classify an event and determine if it’s material and requires SEC reporting. This will require an extremely coordinated and sophisticated cross functional team.
- Second, resilience is critical. A company that can pursue a resilience strategy will have less angst over a disruption if it can quickly identify a problem and leverage backup capabilities, potentially obviating the need for reporting if there would be no material impact on investors. Perhaps a new tongue-in-cheek acronym is warranted: reduce Mean Time To Detect, Respond to Obviate Reporting (MTTD-ROR).
A Roadmap to Rapid Resilience
Service disruptions often look the same, but internal teams need help to obtain the holistic view required to solve a problem quickly. The field is crowded with players in roles ranging from business leaders, security, operations, IT, and audit, to engineers, developers, and architects. So how do you prepare and recover from unexpected cyber disruptions quickly?
It starts with public companies adequately investing in the right people, technology and processes that enable cyber resilience. This makes it possible for SecOps, ITOps, and engineering to collaborate with the right tools to prevent significant issues, remediate quickly, and accelerate transformation.
The new SEC rules drive publicly-traded companies — like Splunk — to take a resilient-first technology approach that enable improved visibility of IT and OT infrastructure, including:
- Full-scope visibility, a realtime, automated understanding of security and observability events whether on-premises, in the cloud, or hybrid.
- Seamless integration of security analytics, threat intelligence, powerful investigation capabilities, and SOAR supported by a modern unified work surface to differentiate an incident orchestrated by a malevolent actor versus an operational problem such as a software glitch or misconfiguration.
Click here to learn more about Spunk’s ability to help increase your cyber resilience and help meet the SEC’s disclosure requirements.