SEC reporting mandates set to kick in by December 2023
The ongoing efforts to provide analytics and feedback against cybersecurity threats continue to unfold. The SEC has established new guidelines involving reports in the event of a breach or cybersecurity event. These guidelines will take full effect by December 2023.
Expanding urgency for reporting rules comes as a response to numerous cybersecurity attacks and events impacting numerous businesses and individuals over the past several years. While cybersecurity has always been a challenge, the utilization of remote networks and internet-facing infrastructure has significantly increased the demand for better defenses.
Part of this requires reporting on incidents from the moment of detection. The general idea is the more information is present, the better cybersecurity defense and strategies can react to it. A quick summary of the SEC guidelines is as follows:
- An entity (such as a business organization or fintech enterprise) must report a cybersecurity incident considered material within 4 days of the event; this involves describing the scale of the breach incident, time of occurrence (or discovery), and impact on the organization
- Must include descriptions of the identification process and what cybersecurity infrastructure exists (or is planned to be incorporated)
- Describing management’s role in risk identification and management along with steps taken for preventive measures
Organizations should pay attention to these requirements and new standards. Creating a better relationship between CISOs and cybersecurity management will improve defense and reporting standards. The more efficient communication is, the better off a company will be.
Pressures of the new SEC standards
One of the growing concerns regarding the SEC reporting standards is time. Organizations won’t have generous wiggle room to gather their findings and execute a report on them. They need to abide within a reasonable timeframe. However not all organizations possess the same resources, and some may even lack the tools to effectively report the incidents. That’s why before the SEC guidelines kick in, getting a feel for the requirements is critical.
It’s also challenging because part of the guidelines requires reporting on the full material impact of a cybersecurity breach. To do that, leaders and management need complete insight into their IT environments. Additionally, it requires close collaboration by all parties to accurately create reports about material damage.
Another factor is transparency. These guidelines will demand detailed explanations about an organization’s cybersecurity process, down to the tools and methods used to extrapolate information about breaches. It is less about how efficient the model is, but rather how honest an organization is about its methods. A core issue with cybersecurity on the business side is a complete lack of transparency, sometimes omitting entire details about impacted parties, materials, and customers. By doing so, however, companies fail to mitigate risk and continue to put their data and infrastructure in harm’s way.
How can I learn more about the SEC reporting requirements?
There is a lot to break down when it comes to the new SEC reporting guidelines. Again, organizations should at least adhere to a philosophy of transparency. It may not be effective yet, but it’s not expected to be. The SEC is looking for transparent models to better understand how a cyberattack or malicious event occurred.
If not already, your organization should get up to speed about these SEC requirements and confirm if you fall under their reporting requirements.
All relevant parties should evaluate their current disclosure policies and look to bring their approach in line with the SEC mandates.
However, if you’re concerned about reporting requirements or other cybersecurity issues, it’s encouraged to look for help.