New SEC Cyber Security Disclosure Rules Can Impact Your Business
Tue, 31 Oct 2023 16:12:27 -0000
|Read Time: 0 minutes
For the past few years, organizations of all sizes have realized the risk and impact that a Cyber Attack could have on their organization, including loss of revenue, brand impact, business interruption, remediation costs, and more.
A new rule from the Securities and Exchange Commission (SEC) now identifies cyber as a true category of business risk, joining numerous other challenges that companies face including financial, operational, regulatory, and compliance. This new rule officially declares that cyber is “EVERYONE’s” issue, and defending your business is critical to your shareholders, customers, and employees.
Effective Dec 18, 2023, the SEC adopted final rule – Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure – which requires disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports (see note 1).
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
Why: Ransomware attacks are ongoing and pose a risk to all parties engaged in public companies, including investors. As remote work has increased, so has the adversary’s ability to capitalize on an attack. The SEC has concluded that there needs to be a more consistent way to provide disclosure.
What is Required: Under the new regulations, public companies will need to disclose, “any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.”
For more information, please review the SEC Fact Sheet.
Impact on Customers: The new regulations enable the CISO and other security teams to create further awareness of cybersecurity within their own organization. The requirements mandate that you provide the following information:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose
- The effect of the incident on the registrant’s operations and whether the registrant has remediated or is currently remediating the incident
- Who to contact for help
Summary: Cyber is a top challenge that is not going away. Cyber Security Teams are essential for the well-being of the organization and are critical in protecting assets, employees, and C level executives.
It is of the utmost importance that C Level leadership understands that it’s not just the responsibility of CISO or CIO but also of the Board and the C suite to manage risk.
Dell provides end to end proactive and reactive solutions to help customers reduce their risk. The following checklist will help you consider and distill some of the risks your company faces:
- What are your critical assets? Have you identified top risks?
- If you experienced a material cyber incident, who would you call and do you have a way to understand what happened?
- Is your team managing the top cyber risks proactively and continuously so that you can monitor threats and vulnerabilities before they become material incidents?
- Can you provide Rapid analysis of what happened?
Dell provides a managed detection and response solution that monitors your environment 24/7, including protection, remediation, and analysis of your data as well as continuous monitoring.
Our Vulnerability Scanning searches for Vulnerabilities, helping you identify your assets and any areas to fix and patch.
Dell also provides Incident Response services to restore, rebuild, and remediate your issues to get you back into operating your business.
Resources
NOTE 1: SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 229, 232, 239, 240, and 249 [Release Nos. 33-11216; 34-97989; File No. S7-09-22] RIN 3235-AM89 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission.
NOTE 2: Advice and commentary in this paper does not constitute Dell Legal advice. Anyone reading this should consult their own legal team for advice and opinion.
Author: Steven Granat
Contact: Steven.Granat@Dell.com
#IWORK4DELL