In episode 108 of the Cybersecurity Minute, Chris Hughes discusses some new rules regarding cybersecurity from the Securities and Exchange Commission (SEC).
This episode is sponsored by “Selling to the New Executive Buying Committee,” an Acceleration Economy Course designed to help vendors, partners, and buyers understand the shifting sands of how mid-market and enterprise CXOs are making purchase decisions to modernize technology.
00:26 — These rules haven’t taken effect yet, but they will in the coming months.
01:21 — One is around the transparency of cybersecurity incidents. Organizations will have four days to report incidents on Form 8-K. Practitioners point out that there’s often a dwell time that can impact reporting timelines. Also, there are likely to be cases where an incident may have been identified but its full scope has not been determined. Nonetheless, this report must be made within four days of identifying and deeming a cybersecurity incident material.
02:51 — There’s another SEC requirement around identifying, assessing, and managing material risks related to cybersecurity threats. It requires organizations to disclose to the board of directors and their management details of oversight of risk related to cybersecurity threats. It didn’t go quite as far as some in cybersecurity had originally hoped.
03:24 — It is calling for organizations to at least disclose that they have processes, policies, and procedures in place to understand cybersecurity threats and what role management has in overseeing them.