How to stay on the right side of the latest SEC cybersecurity disclosure rules for a data breach
In July 2023, the Securities and Exchange Commission (SEC) voted to adopt new cybersecurity rules and requirements for all market entities to address risks. Among the passed regulations were updated requirements for Form 8-K reporting as well as new guidance for Form 10-K Amendments.
Under the rule surrounding Form 8-K reporting, public companies are now required to report data breaches within four days of an incident. Five documented questions and answers must be included in all incident reports with responses containing high levels of detail for the “reasonable investor” to gain insight into the data breach. The following questions are required for all Form 8-K incident reporting under the new regulations:
- When the incident was discovered and whether it is ongoing.
- A brief description of the nature and scope of the incident.
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
- The effect of the incident on the registrant’s operations.
- Whether the registrant has remediated or is currently remediating the incident.
Responses to the required questions that avoid intensely technical detail will allow for conversations on cybersecurity risks to be more accessible to all parties involved with the company.
Cyber Risk Management Policies and Procedures
In addition to updates to Form 8-K reporting, the new SEC regulation calls for the inclusion of specific policies and procedures to manage cybersecurity in Form 10-K Amendments. The policies and procedures surrounding cybersecurity risks included in Form 10-K should be as comprehensible as possible to allow for engagement from both the C-suite and the board of directors. This added cybersecurity amendment to Form 10-K is also important as it will shine light on the regulation of a company’s cybersecurity protocols.
Within the last decade, cybersecurity breaches have been on the rise as one of the biggest risks for companies of all industries and verticals. In fact, the Cost of a Data Breach Report 2023 found that the average cost of a breach climbed to a new high of USD 4.45 million, representing a 15.3% increase from 2020. The SEC developed the new regulations in hopes of standardizing disclosures regarding cybersecurity risk management and incident reporting as they become common conversations and practices across all organizations.
Tips for building a risk-aware culture
With the adoption of these new SEC regulations, companies must be prepared to have a highly comprehensive incident response process. It is not just the role of the chief information security officer (CISO), security and IT team to keep a company safe. All members of a company must be trained and watch with a keen eye for any potential threats. Knowing when to raise alarm over a potential breach, no matter how small, is important for all employees to aid in maintaining SEC regulations. Spreading awareness of cybersecurity risks throughout the whole organization can help keep a company safe, as nearly every team in a business operates with data that could put the company at risk.
By using a leading security orchestration, automation, and response (SOAR) solution, an organization’s SOC will be empowered to manage its threat response more efficiently and decisively. Security teams can better manage risk by leveraging dynamic playbooks, automations for investigation and response, and timestamp key actions for reporting, legal and compliance needs. Stronger risk management can help organizations not only avoid security incidents but also assure their investors of a strong incident response process in the event of a breach.
QRadar SOAR provides clear visibility into an incident, making it easier to comply with these new SEC regulations. It also gives the CISO a clear picture of higher priority security incidents to easily share with other leadership. Additionally, the Breach Response module of QRadar SOAR helps organizations prepare for and respond to privacy breaches by integrating privacy reporting tasks into your overall incident response playbooks. It facilitates collaboration across privacy, HR and legal teams to address requirements for over 180 regulations.
The new SEC regulations should encourage organization leaders to engage in regular conversations around security posture and incident response, not only in the event of a security incident. With the new four-day deadline to report breaches and the inclusion of incident response processes in annual reports, it is essential for both the CISO and other security and IT leaders to engage C-suite leadership and the board of directors in security conversations.
Integrate the proper tools today
To help keep the conversation going on such an important topic, integrating the proper tools — such as SOAR — can enable the CISO to effectively articulate the risk posture of the business to C-suite leadership and the board of directors in a way that establishes a common language to open the discussion. Opening the conversation to include company leaders every quarter, not just when an incident has taken place, can help guide budget and visibility to fill major gaps, therefore helping prevent security incidents such as data breaches in the future. Cybersecurity risks are a very real part of business today, but protecting a company is possible if it abides by these regulation requirements, uses the right automation tools, and routinely discusses cybersecurity risk with company leadership.
Watch our team of experts’ discussion — “Four impactful steps to help scale your SOC while following regulatory reporting requirements” — to learn more.
Watch our team of experts today
Program Director, Product Marketing, Threat Detection and Response portfolio
Product Marketing Manager, QRadar SOAR