December 7, 2023 By Hannah Klemme
Hannah Chong
3 min read

In July 2023, the Securities and Exchange Commission (SEC) voted to adopt new cybersecurity rules and requirements for all publicly listed companies to address risks. Among the new rules were updated requirements for filing Form 8-K as well as new disclosure obligations for Form 10-K. 

Under the new rule, public companies will be required to report on Form 8-K within four business days after the company determines it has experienced a material cybersecurity incident.

The filed Form 8-K must describe:

  1. The material aspects of the nature, scope, and timing of the incident, and
  2. The material impact or reasonably likely material impact on the company, including its financial condition and results of operations.

Cyber risk management processes 

In addition to updates to Form 8-K, the new SEC rules call for disclosure in Form 10-K of processes used to assess, identify, and manage cybersecurity threats. In the disclosure, companies must also describe the board of directors’ oversight of cybersecurity risks and management’s role in assessing and managing cybersecurity risks. This added cybersecurity disclosure to Form 10-K is also important as it represents a significant expansion of companies’ disclosure obligations. 

Tips for building a risk-aware culture

Within the last decade, cybersecurity breaches have been on the rise as one of the biggest risks for companies of all industries and verticals. In fact, the Cost of a Data Breach Report 2023 found that the average cost of a breach climbed to a new high of USD 4.45 million, representing a 15.3% increase from 2020.

With the adoption of the new SEC rules, companies must be even more prepared to have a highly comprehensive incident response process. It is not just the role of the chief information security officer (CISO), security, and IT teams to keep a company safe. Everyone, from the board to management to line employees have responsibilities to protect against and respond to threats. Spreading awareness of cybersecurity risks throughout the whole organization is critical, as nearly every team in a business operates on critical systems and/or with data that could put the company at risk. 

Using a security orchestration, automation, and response (SOAR) solution can help enable an organization’s SOC to manage its threat response efficiently and decisively. Security teams can manage risk by leveraging dynamic playbooks and automations for investigation and response, and by timestamping key actions for reporting, legal, and compliance needs. Stronger risk management can help organizations not only protect against security incidents but also assure investors of a robust incident response process in the event of a breach.

IBM Security QRadar SOAR provides clear visibility into an incident, making it easier to access information needed to comply with these new SEC rules. It also gives the CISO a clear picture of higher priority security incidents to easily share with other leadership. Additionally, the Breach Response module of QRadar SOAR helps organizations prepare for and respond to security breaches by integrating privacy reporting tasks into your overall incident response playbooks. It facilitates collaboration across privacy, HR, and legal teams to help users address regulatory requirements.

Given the new SEC regulations, it is critical for organization leaders to engage in regular conversations around security posture and incident response, not only in the event of a security incident. With the new rules to report security incidents in a short timeframe and the inclusion of incident response processes in annual reports, it is even more essential for both the CISO and other security and IT leaders to engage C-suite leadership and the board of directors in security conversations.

To keep the conversation going on such an important topic, integrating the proper tools, such as SOAR, can help the CISO to effectively articulate the risk posture of the business to C-suite leadership and the board of directors in a way that establishes a common language to open the discussion. Opening the conversation to include company leaders on a regular basis, not just when an incident has taken place, can help guide budget and visibility to fill major gaps, therefore helping a company protect itself against security incidents such as data breaches in the future. Cybersecurity risks are a very real part of business today, but a company can mitigate these risks if it abides by these new disclosure requirements, uses the right automation tools, and routinely engages on cybersecurity risk with company leadership. 

Tap the link below to watch our experts discuss “4 impactful steps to help scale your SOC while following regulatory reporting requirements.”

Watch our team of experts today
Was this article helpful?

More from Security

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Enhancing data security and compliance in the XaaS Era 

2 min read - Recent research from IDC found that 85% of CEOs who were surveyed cited digital capabilities as strategic differentiators that are crucial to accelerating revenue growth. However, IT decision makers remain concerned about the risks associated with their digital infrastructure and the impact they might have on business outcomes, with data breaches and security concerns being the biggest threats.   With the rapid growth of XaaS consumption models and the integration of AI and data at the forefront of every business plan,…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters