Are your cybersecurity disclosure controls and procedures up to date?

Properly responding to material incidents could protect your organization from receiving charges from the SEC.

The SEC published its final rule meant to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

Evaluate incidents carefully

Nonmaterial cyber incidents don’t have to be disclosed to the SEC; however, the number of material cybersecurity incidents is likely higher than organizations report.

What if some of the cybersecurity incidents organizations originally deemed nonmaterial are actually material? How well do organizations evaluate incidents to determine whether they’re material?

SEC enforcement cases

In the past, the SEC rarely enforced actions on cybersecurity incidents. However, three enforcement cases against companies indicate things are changing.

A property title company in California, an educational services company in the United Kingdom, and a software company in South Carolina received enforcement actions for not properly disclosing facts surrounding a material cybersecurity incident.

In each case, front-line IT personnel might not have:

• Fully understood how their company defined materiality
• Been incentivized to report the vulnerability up the chain of command
• Made necessary changes to systems or programs in a timely manner
• Describe the incident accurately and completely

The Division of Enforcement within the SEC is signaling a hard line against companies that haven’t designed and implemented cybersecurity disclosure controls that accurately and completely mention all material facts regarding incidents. Registrants should know the new rules give the SEC a new basis for bringing enforcement actions.