Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Key Changes and Tips to be SEC Ready
August 1, 2023
SEC Cyber Disclosure Rules LinkedIn Live Flash Panel
Unpack the Securities and Exchange Commission's cybersecurity disclosure ruleset and learn how your organization can ensure compliance.
For the past 15 months, I’ve been helping public organizations prepare to comply with the U.S. Securities and Exchange Commission’s (SEC) proposed cybersecurity disclosures and incident management procedures for commission registrants. Those proposed rules are now finalized and about to become a reporting reality later this year (90 days after their publication in the Federal Register or by December 18 – whichever comes first). Regardless of where you are in your own readiness, here is an overview of the key changes in the finalized ruleset and guidance on what to do next.
As I shared last year, organizations will be required to publicly disclose incidents within four business days of the date that the incident materiality is determined to be of significant interest to investors. The finalized SEC regulations include the following changes:
Looking deeper into the finalized regulations in comparison with the 2022 proposal, I recommend the following guidance to organizational leaders:
Develop a repeatable process and plan for identifying, determining and ratifying the meaning of materiality. The four-day disclosure timeline begins once an organization determines the materiality of an incident. However, the concept of materiality has significantly changed between the submission of the SEC’s 2022 proposal and the 2023 final rule. Materiality was initially assumed to be the quantitative business impacts determined from a reasonable investor standpoint. Companies are now obligated to describe the timing of incidents and the likely impact of incidents on victims, as well specifically consider qualitative factors such as reputational harm. Organizations therefore have limited time to align on a clear and succinct understanding of materiality. When devising and implementing an incident management plan, business leaders (including the CFO) should establish a 30-60-90 day plan for determining materiality in a timely, repeatable manner. It is important to consider not only the quantitative metrics that contribute to an organization’s materiality threshold, but also qualitative ones impacting its brand and reputation.
Ensure the board of directors is capable of cybersecurity risk management. Regulation S-K Item 106(c) of the final rule requires an organization to disclose information on the board’s cybersecurity risk oversight and the role of management in material risk assessment and management. Although opinions may differ on the SEC’s final rule to streamline the CISO, board and governance roles of risk management, the key takeaway is that cybersecurity risk is business risk. Boards are responsible for risk management, and cyber risk should be considered part of the overall systemic risk for any publicly traded company. Organizations need to provide effective, continuous cybersecurity training and risk reporting to their board so that they stay informed of the latest threats and are equipped to make cyber risk management decisions.
Account for third-party and supply-chain vendor management in company policies and risk reporting. Vulnerabilities from supply-chain software and other third parties, such as service providers, are continually reported as significant threat vectors. It is therefore understandable that the SEC seeks to better understand the material risks that come with a reliance on third parties for products and services. If a threat actor exploits a vulnerability in a third-party software or platform to steal an organization’s data, for example, then it is the responsibility of both the third and end parties to disclose the incident. It is recommended that organizations understand how third-party suppliers define materiality, as there will be discrepancies.
Given the rapid pace at which cyber incidents escalate, the SEC is making a long-awaited first attempt to produce comprehensive cybersecurity disclosure regulations. The final rule answers the public call to action to provide greater transparency for shareholders and the overall market.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
July 28, 2023
This LinkedIn Live features expert insights on technology rationalization methodologies and objectives.
Our Cyber Risk Management and Transformation services help organizations modernize and automate their approach to risk management. Learn more today!
Let us know what you need, and we will have an Optiv professional contact you shortly.