Decoded Technology Law Insights, V 5, Issue 2, March 2024 | Spilman Thomas & Battle, PLLC | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

“Looking closely at the SEC crackdown, it could prove to be just the nudge companies need to finally prepare the kind of proper incident response plans that would help them with fast-turnaround reporting.”

Why this is important: On September 5, 2023, the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules went into effect. These rules require publicly traded companies to disclose “material” cybersecurity incidents within four business days. “Material” means an incident where “there is a substantial likelihood that a reasonable shareholder would consider it important” in relation to making an investment decision. The disclosure guidelines require:

  • Disclosure of cybersecurity incidents within four business days, including a description of the nature, scope, timing, and material or likely material impact;.
  • Implementation of detailed processes for assessing, identifying, and managing material risks from cybersecurity threats; and
  • A description of the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks.

Enforcement of these new rules began in December 2023.

There is confusion regarding when the four-day disclosure countdown begins. It is not when the cyberattack is discovered. It instead begins when the cyberattack is determined to be “material,” which can vary from case to case. Regardless, time is of the essence, and public companies should not rely on the application of a “grace period” when complying with the disclosure rule. Consequently, companies subject to the disclosure rule should implement a response plan now so that they are prepared to comply with the disclosure rule within the tight disclosure period. If your organization needs assistance developing a robust response plan in order to be able to timely comply with the SEC disclosure rule, please contact a member of Spilman’s Cybersecurity & Data Protection Practice Group for help. — Alexander L. Turner



Click Here For The Original Source.

National Cyber Security