The rapid advancement of AI technologies has made hackers much more successful and they now use these advanced tools to attack vulnerable organizations. As cybersecurity threats continue to evolve, public companies must prepare to effectively disclose and manage these incidents. The SEC's recent statement on the disclosure of material cybersecurity incidents marks a significant step in enhancing transparency and investor confidence.
The May 21 SEC statement explained the disclosure requirements around cybersecurity incidents for public companies, clarifying a set of rules finalized in July 2023 requiring companies to disclose material cybersecurity incidents within four business days. This requirement ensures investors are informed about significant cybersecurity events that could impact a company's financial health and operational stability. However, the SEC also encourages voluntary disclosure of “non-material” incidents under Item 8.01, which can offer valuable context without causing investor confusion.
Companies need to understand why the distinction between material and non-material incidents will become crucial for businesses. It underscores and clarifies the importance of having robust cybersecurity measures and incident response plans in place. Moving forward, companies must quickly assess an incident's materiality and comply with the disclosure requirements. They must also consider the financial impact, reputational risk, and likelihood of sustained attacks.
As investors gain visibility into these incidents, companies will need to invest in stronger cybersecurity measures to mitigate risk and reassure stakeholders. This may require investing in advanced security tools, conducting regular risk assessments, and fostering a culture of security awareness.
Here are five steps organizations can take to comply with SEC disclosure rules and establish a much-needed cybersecurity culture and strategy:
- Develop a comprehensive incident response plan: Prepare the team to address future incidents with a comprehensive incident response plan. This should include protocols for assessing the materiality of cybersecurity incidents, and the disclosure process. Consider factors such as financial impact, data breach scope (sensitive data exposed), reputation risk, potential for ongoing attacks, and impact on business operations. Once the company has developed a plan, ensure that teams across the organization — IT, security, legal, communications and public relations — are aware of their roles in the process, and how they can work together.
- Invest in advanced cybersecurity tools and tech: Leveraging AI/ML can significantly enhance an organization's ability to detect and respond to threats more effectively. AI-driven tools can analyze vast amounts of data in real-time, identifying patterns and anomalies that may indicate a security breach.
- Conduct regular training: Regularly training employees on cybersecurity best practices will help the company maintain a robust security posture. The training should cover a wide range of topics, including popular categories of cyberattacks, and the latest cybersecurity paradigms such as zero-trust architectures. It's crucial that employees understand the importance of immediate incident reporting, as timely detection and response can significantly mitigate potential damage.
- Engage with legal and compliance teams: Work closely with legal and compliance teams to make sure that all disclosures meet SEC requirements and are made promptly. These teams can offer critical guidance on the regulatory landscape, helping to interpret complex rules and ensuring that disclosures are accurate and comprehensive.
- Review and update cyber policies: Periodically review and update cybersecurity policies to reflect the latest regulatory requirements and threat landscapes. This will keep the team’s security posture up-to-date and compliant, and help to identify any gaps or vulnerabilities.
The SEC's new statement on cybersecurity incident disclosures is a pivotal development for both companies and investors. By adhering to these guidelines and enhancing their cybersecurity frameworks, businesses can comply with regulatory requirements and build greater trust with their stakeholders.
Pukar Hamal, founder and CEO, SecurityPal
