In July 2023, the Securities and Exchange Commission (SEC) voted to adopt new cybersecurity rules and requirements for all publicly listed companies to address risks. Among the new rules were updated requirements for filing Form 8-K as well as new disclosure obligations for Form 10-K.
Under the new rule, public companies will be required to report on Form 8-K within four business days after the company determines it has experienced a material cybersecurity incident.
The filed Form 8-K must describe:
- The material aspects of the nature, scope, and timing of the incident, and
- The material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
Cyber risk management processes
In addition to updates to Form 8-K, the new SEC rules call for disclosure in Form 10-K of processes used to assess, identify, and manage cybersecurity threats. In the disclosure, companies must also describe the board of directors’ oversight of cybersecurity risks and management’s role in assessing and managing cybersecurity risks. This added cybersecurity disclosure to Form 10-K is also important as it represents a significant expansion of companies’ disclosure obligations.
Tips for building a risk-aware culture
Within the last decade, cybersecurity breaches have been on the rise as one of the biggest risks for companies of all industries and verticals. In fact, the Cost of a Data Breach Report 2023 found that the average cost of a breach climbed to a new high of USD 4.45 million, representing a 15.3% increase from 2020.
With the adoption of the new SEC rules, companies must be even more prepared to have a highly comprehensive incident response process. It is not just the role of the chief information security officer (CISO), security, and IT teams to keep a company safe. Everyone, from the board to management to line employees have responsibilities to protect against and respond to threats. Spreading awareness of cybersecurity risks throughout the whole organization is critical, as nearly every team in a business operates on critical systems and/or with data that could put the company at risk.
Using a security orchestration, automation, and response (SOAR) solution can help enable an organization’s SOC to manage its threat response efficiently and decisively. Security teams can manage risk by leveraging dynamic playbooks and automations for investigation and response, and by timestamping key actions for reporting, legal, and compliance needs. Stronger risk management can help organizations not only protect against security incidents but also assure investors of a robust incident response process in the event of a breach.
Given the new SEC regulations, it is critical for organization leaders to engage in regular conversations around security posture and incident response, not only in the event of a security incident. With the new rules to report security incidents in a short timeframe and the inclusion of incident response processes in annual reports, it is even more essential for both the CISO and other security and IT leaders to engage C-suite leadership and the board of directors in security conversations.
To keep the conversation going on such an important topic, integrating the proper tools, such as SOAR, can help the CISO to effectively articulate the risk posture of the business to C-suite leadership and the board of directors in a way that establishes a common language to open the discussion. Opening the conversation to include company leaders on a regular basis, not just when an incident has taken place, can help guide budget and visibility to fill major gaps, therefore helping a company protect itself against security incidents such as data breaches in the future. Cybersecurity risks are a very real part of business today, but a company can mitigate these risks if it abides by these new disclosure requirements, uses the right automation tools, and routinely engages on cybersecurity risk with company leadership.
Explore IBM threat intelligence management services