The US Securities and Exchange Commission (SEC) cyber disclosure rule went into effect in July 2023. One year later, a wealth of information is available to determine how useful it has been and what 变化 仍然需要制作. In May 2024, the SEC found it necessary to review the filings it had received and offer guidance. To understand the current situation, it is helpful to review how we got here. This involves understanding the original intent behind the disclosure rule, 它是如何被解读的, 以及最新的指南是怎么说的.
Cyber disclosures to regulatory and capital markets have become increasingly relevant in the face of ongoing ransomware threats. Ransomware and extortion account for approximately 66% of all financially motivated 攻击. The financial impacts of these cyberevents have been a 重要的问题 for rating agencies for several years.
It can be inferred that the SEC has scrutinized the state of information available to investors about their cyberoperations and incidents and has found them to be 不足. Considering the remit of the SEC in regulating the sale of securities, it wants to ensure that the investor community understands the risk associated with an enterprise’s security. Therefore, the SEC has long used the following two standards to determine materiality:
- Does it affect the total mix of information?
- Would a reasonable investor consider it material?
多年来, these subjective measures of materiality have been interpreted in various ways, often subject to non-official financial 阈值. 尽管如此, there has been a flood of disclosures about cyberevents that are not material, with many filings explicitly stating this. The SEC has taken note and responded to the issue.
在一个 2024年5月声明, the SEC opines about the number of filings that are not material. 州:
虽然第1项的案文.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident “that is determined by the registrant to be material,”,, in fact, the item is titled “Material 网络安全 Incidents.”
It is clear now that the current regime of nonmaterial materiality disclosures is not what the SEC wants. So, what can you do to prepare your organization to make only material disclosures?
Number one on that list is to quantify your cyberrisk posture. This involves employing cyberrisk quantification (CRQ) methods to assess the financial losses your organization may 经验. 一旦你准备好了, only then can you begin to establish 阈值 that drive action in the organization. 这些行动包括预算, cyberinsurance购买, 资本充足率测试, 接受风险, 监管报告. The SEC guidelines are not exclusively about financial impact, but once you have established something as financially impactful, it cannot be qualitatively reasoned that it is not material. So, the takeaway is that the regulatory agency responsible for instituting the material disclosure process wants you to treat it as such, rather than being viewed as an incident disclosure process. Update your internal processes for incident response accordingly.
杰克弗洛伊德
Is a cyberrisk quantification expert, coauthor of Measuring and Managing Information Risk, 2016 inductee into the 网络安全 Canon, ISSA杰出研究员, 费尔学会澳门赌场官方软件, IAPP信息隐私研究员, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018约翰·W. Lainhart IV Common Body of Knowledge Award.