Making Sense of the New SEC Cybersecurity Rules and What They Could Mean for Your Company

Security Paul Kurtz
The United States Securities and Exchange Commission’s (SEC) July 26 approval of new cybersecurity “incident” disclosure rules is top of mind for every public company, and understanding what it means and how companies will be held accountable is crucial. The rules were initially introduced in March 2022 but the Commission’s deliberation on disclosing cyber incidents began over ten years ago. Let’s dig into it.

The new rules, which will go into effect later this year, require that publicly-traded companies (or “registrants”) disclose a “material” cybersecurity incident within four business days of determining an incident was material. There is an exception to the reporting timeline, which allows for a delay if disclosing the incident could harm national security or public safety. However, only the United States Attorney General must grant such an exception.

What is most interesting is that registrants must disclose the impact of a material cybersecurity incident but are not required to disclose the technical details, such as the vulnerabilities exploited or the indicators of compromise.The rules will require the registrant to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”

In addition to cyber incident disclosure requirements, the SEC also mandates that public companies periodically disclose information regarding their cybersecurity risk management, strategy, governance and risk factors.

The upshot of the new rule means that while companies do not have to disclose the technical details of an incident, they need two capabilities to respond and report on a timely basis:

A Roadmap to Rapid Resilience

Service disruptions often look the same, but internal teams need help to obtain the holistic view required to solve a problem quickly. The field is crowded with players in roles ranging from business leaders, security, operations, IT, and audit, to engineers, developers, and architects. So how do you prepare and recover from unexpected cyber disruptions quickly?

It starts with public companies adequately investing in the right people, technology and processes that enable cyber resilience. This makes it possible for SecOps, ITOps, and engineering to collaborate with the right tools to prevent significant issues, remediate quickly, and accelerate transformation.

The new SEC rules drive publicly-traded companies — like Splunk — to take a resilient-first technology approach that enable improved visibility of IT and OT infrastructure, including:

Click here to learn more about Spunk’s ability to help increase your cyber resilience and help meet the SEC’s disclosure requirements.

Related Articles

The Lost Payload: MSIX Resurrection
Security
13 Minute Read

The Lost Payload: MSIX Resurrection

Threat actors weaponize MSIX for malware delivery – learn about MSIX attacks, distribution, and how Splunk's MSIXBuilder helps security teams test detection safely.
Splunk Security Award-Winning Momentum in 2022
Security
2 Minute Read

Splunk Security Award-Winning Momentum in 2022

See why analysts continue to recognize that Splunk Security is a must-have when it comes to the need for SIEM and SOAR solutions.
Security Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP
Security
6 Minute Read

Security Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP

The Splunk Threat Research Team explores how Splunk can help you identify and investigate CVE-2024-4040 exploitation in your CrushFTP environment.