December 7, 2023 By Hannah Klemme
Hannah Chong
3 min read

In July 2023, the Securities and Exchange Commission (SEC) voted to adopt new cybersecurity rules and requirements for all publicly listed companies to address risks. Among the new rules were updated requirements for filing Form 8-K as well as new disclosure obligations for Form 10-K. 

Under the new rule, public companies will be required to report on Form 8-K within four business days after the company determines it has experienced a material cybersecurity incident.

The filed Form 8-K must describe:

  1. The material aspects of the nature, scope, and timing of the incident, and
  2. The material impact or reasonably likely material impact on the company, including its financial condition and results of operations.

Cyber risk management processes 

In addition to updates to Form 8-K, the new SEC rules call for disclosure in Form 10-K of processes used to assess, identify, and manage cybersecurity threats. In the disclosure, companies must also describe the board of directors’ oversight of cybersecurity risks and management’s role in assessing and managing cybersecurity risks. This added cybersecurity disclosure to Form 10-K is also important as it represents a significant expansion of companies’ disclosure obligations. 

Tips for building a risk-aware culture

Within the last decade, cybersecurity breaches have been on the rise as one of the biggest risks for companies of all industries and verticals. In fact, the Cost of a Data Breach Report 2023 found that the average cost of a breach climbed to a new high of USD 4.45 million, representing a 15.3% increase from 2020.

With the adoption of the new SEC rules, companies must be even more prepared to have a highly comprehensive incident response process. It is not just the role of the chief information security officer (CISO), security, and IT teams to keep a company safe. Everyone, from the board to management to line employees have responsibilities to protect against and respond to threats. Spreading awareness of cybersecurity risks throughout the whole organization is critical, as nearly every team in a business operates on critical systems and/or with data that could put the company at risk. 

Using a security orchestration, automation, and response (SOAR) solution can help enable an organization’s SOC to manage its threat response efficiently and decisively. Security teams can manage risk by leveraging dynamic playbooks and automations for investigation and response, and by timestamping key actions for reporting, legal, and compliance needs. Stronger risk management can help organizations not only protect against security incidents but also assure investors of a robust incident response process in the event of a breach.

IBM Security QRadar SOAR provides clear visibility into an incident, making it easier to access information needed to comply with these new SEC rules. It also gives the CISO a clear picture of higher priority security incidents to easily share with other leadership. Additionally, the Breach Response module of QRadar SOAR helps organizations prepare for and respond to security breaches by integrating privacy reporting tasks into your overall incident response playbooks. It facilitates collaboration across privacy, HR, and legal teams to help users address regulatory requirements.

Given the new SEC regulations, it is critical for organization leaders to engage in regular conversations around security posture and incident response, not only in the event of a security incident. With the new rules to report security incidents in a short timeframe and the inclusion of incident response processes in annual reports, it is even more essential for both the CISO and other security and IT leaders to engage C-suite leadership and the board of directors in security conversations.

To keep the conversation going on such an important topic, integrating the proper tools, such as SOAR, can help the CISO to effectively articulate the risk posture of the business to C-suite leadership and the board of directors in a way that establishes a common language to open the discussion. Opening the conversation to include company leaders on a regular basis, not just when an incident has taken place, can help guide budget and visibility to fill major gaps, therefore helping a company protect itself against security incidents such as data breaches in the future. Cybersecurity risks are a very real part of business today, but a company can mitigate these risks if it abides by these new disclosure requirements, uses the right automation tools, and routinely engages on cybersecurity risk with company leadership. 

Tap the link below to watch our experts discuss “4 impactful steps to help scale your SOC while following regulatory reporting requirements.”

Watch our team of experts today
Was this article helpful?

More from Security

Enterprise security is facing an identity crisis: Findings from the latest X-Force Threat Intelligence Index

2 min read - In this year’s IBM X-Force Threat Intelligence Index, our annual report of cybersecurity trends, we observed a pronounced surge in cyber threats targeting identities. Cyber criminals leveraged stolen credentials in 30% of the investigations X-Force responded to in 2023, which tracks a 71% increase compared to the previous year. Let’s take a look at some of the key findings from this year’s report. There are several ways that cybercriminals obtain valid credentials to use in breaches. In 2023, one of…

How to implement the General Data Protection Regulation (GDPR)

10 min read - The General Data Protection Regulation (GDPR), the European Union's landmark data privacy law, took effect in 2018. Yet many organizations still struggle to meet compliance requirements, and EU data protection authorities do not hesitate to hand out penalties. Even the world's biggest businesses are not free from GDPR woes. Irish regulators hit Meta with a EUR 1.2 billion fine in 2023. Italian authorities are investigating OpenAI for suspected violations, even going so far as to ban ChatGPT briefly. Many businesses…

What are breach and attack simulations?

4 min read - Breach and Attack Simulation (BAS) is an automated and continuous software-based approach to offensive security. Similar to other forms of security validation such as red teaming and penetration testing, BAS complements more traditional security tools by simulating cyberattacks to test security controls and provide actionable insights. Like a red team exercise, breach and attack simulations use the real-world attack tactics, techniques, and procedures (TTPs) employed by hackers to proactively identify and mitigate security vulnerabilities before they can be exploited by…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters