On March 13, 2023, the Securities and Exchange Commission (SEC) proposed new cybersecurity rules and requirements for all market entities to address risks. Among the proposed regulations were updated requirements for Form 8-K reporting as well as new guidance for Form 10-K Amendments.
Under the proposed rule surrounding Form 8-K reporting, companies would be required to report breaches within four days of an incident. Five documented questions and answers must be included in all incident reports with responses containing high levels of detail for the “reasonable investor” to gain insight into the breach. The following questions are required for all Form 8-K incident reporting under the proposed regulations:
- When the incident was discovered and whether it is ongoing.
- A brief description of the nature and scope of the incident.
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
- The effect of the incident on the registrant’s operations.
- Whether the registrant has remediated or is currently remediating the incident.
Responses to the required questions with avoidance of intensely technical detail will allow for the conversations on cybersecurity risks to be more accessible for all parties involved with the company.
Cyber Risk Management Policies and Procedures
In addition, the SEC proposal called for the inclusion of specific policies and procedures to manage cybersecurity in Form 10-K Amendments. The policies and procedures surrounding cybersecurity risks and included in Form 10-K should be as comprehensible as possible to allow for engagement from both the C-suite and the board of directors. This added cybersecurity amendment to Form 10-K is also important as it will shine light onto the regulation of a company’s cybersecurity protocols.
Within the last decade, cybersecurity breaches have been on the rise as one of the biggest risks for companies of all industries and verticals. In fact, looking to the future, the risk is only going to rise. In a 2019 survey, 200 of the largest global companies rated cybersecurity as the top threat to both the growth of their business and the growth of the global economy for the next decade. The SEC chose to develop the proposed regulations with hopes to standardize disclosures regarding cybersecurity risk management and incident reporting as they become common conversations and practices across all organizations.
Tips for Building a Risk-Aware Culture
In the event that the SEC proposal becomes a reality, companies must be prepared to have a highly comprehensive incident response process. It is not just the role of the chief information security officer (CISO), security, and IT team to keep a company safe. All members of a company must be trained and watch with a keen eye for any potential threats. Knowing when to raise alarm over a potential breach, no matter how small, is important for all employees to aid in maintaining SEC regulations. Spreading awareness of cybersecurity risks throughout the whole organization can help keep a company safe as nearly every team in a business operates with data that could put the company at risk.
To help keep the conversation going on such an important topic, employing the right tools, such as CNAPP and security orchestration automation and response (SOAR), can enable the CISO to portray the risk posture of the business to C-suite leadership and the board of directors in a way that establishes a common language to open the discussion. Opening the conversation to include company leaders every quarter, not just when an incident has taken place, can help guide budget and visibility to fill major gaps, therefore aiding in preventing security incidents such as data breaches in the future. Cybersecurity risk are a very real part of business today, but by abiding by all regulations, using the right automation tools, and routinely discussing cybersecurity, protecting a company is possible.