Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
September 13, 2023
On July 26, the U.S. Securities and Exchange Commission (SEC) fast-tracked approval of its cybersecurity disclosure rules for publicly traded companies focused on incident disclosure; cybersecurity risk management, strategy, and governance; and the involvement of boards of directors in cybersecurity programs. While many of us didn’t expect official rule adoption until October, the SEC surprised us all and is sending a clear message about the importance it is placing on cybersecurity.
While some of the approved regulations differ slightly from the initial proposal, many of the core tenants remain, including requiring registrants to disclose material cybersecurity incidents within four days after the company has determined that there is a material impact on an information security system and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. Here’s an overview of both requirements as spelled out in the SEC’s announcement:
With these new rules adopted, publicly traded companies of all sizes are now in a race to comply ahead of the specified deadlines, which are looming. In the case of incident disclosure, or Form 8-K, the rules will become effective 90 days after their publication in the Federal Register or Dec. 18, 2023 (though smaller reporting companies will have up to an additional 180 days to comply). Form 10-K disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
In both cases, companies are battling an aggressive adoption timeline and execution within this short window will require a significant undertaking.
The biggest hurdle many companies will face along their journeys to compliance is overcoming the SEC’s vague language on disclosing material cyber incidents by defining what “materiality” means to them, defining it from the reasonable shareholders’ point of view. Getting this right will require involvement from every stakeholder within the organization, especially information technology and cybersecurity teams, the chief financial officer, and the general counsel.
Each of these stakeholders must identify very specific qualitative and quantitative financial and business factors that affect their company, so they can properly assess what rises to the level of an incident of material impact, or reasonably likely material impact, on the registrant. This is vital to comply with new disclosure rules because once an incident is deemed to have a material impact on a victim, the company has four days to publicly disclose it.
The bottom line is that complying with the SEC’s new rules requires a lot of different parties to meet to put policies, processes, and procedures in place to determine what constitutes a material incident and how to respond if one occurs — and they only have 90 to 120 days to do so.
While it’s true that the SEC’s new rules come with their fair share of challenges, there are some major steps forward for the industry as well. For example, companies have been reluctant to publicly disclose cyber breaches for fear of reputation and financial repercussions and stakeholder push back.
Omissions of this nature have hindered law enforcement’s ability to catch cybercriminals and prevent similar attacks from happening to other organizations. Now, we can feel more confident that the industry, stakeholders, and law enforcement will get the information they need in a timely fashion for better decision-making and faster enforcement response.
Additionally, though the SEC may not have adopted rules requiring board members to have cybersecurity qualifications, Item 106 is designed to elevate the role of all leadership, including the board, CEOs, and chief information security officers, in risk management. This is a huge win from a cultural standpoint because cyber resilience can only be achieved with company-wide involvement — from the boardroom to the mailroom.
Finally, getting boards and senior leadership more involved in risk management will hopefully help leaders with antiquated perceptions of security as a cost center to shift their thinking to view security for what it truly is: a business enabler.
We know the rules and we know the deadlines, but most publicly traded companies only have between 90 and 120 days to meet the requirements. This is an extremely tight timeframe for the extent of collaboration and work that needs to happen to get businesses on the path to compliance.
Once the SEC begins to dole out enforcement actions and noncompliance consequences, we’ll have a better idea of what they are expecting from publicly traded companies. Until then, we must do our best to prepare, and this means acting today by convening all stakeholders within the company to get them focused on determining materiality and putting the steps in place to report and respond should a material incident occur.
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.
*This article originally appeared on the NACD BoardTalk blog. Reprinted with permission.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.