New Securities and Exchange Commission (SEC) Cybersecurity Reporting Rules for Public Companies
This live webinar was presented by Professor Thu Nguyen as part of Temple’s ITACS training series. As a listener, I learned about the SEC’s newly implemented (in July) rules for cybersecurity reporting in the business setting and their impacts. This year alone, 20M individuals in the US will have their data breached, where the majority of them are related to phishing attacks. Companies with large amounts of data puts consumers in a very vulnerable place. Some of the new rules implemented by the SEC include:
- Companies must disclose material cybersecurity incidents within 4 days of discovery
- Must go even further to disclose information from past breaches that have been disclosed, an an analysis of immaterial ones that have not
- Materiality is subjective, so the company must define it in policies
- Companies must disclose information about their CS risk management/ internal controls strategy/governance
- Internal controls must be specified to make sure these policies are being actively enforced
- Expanded compliance for investors
The impact on companies means increased interconnectedness between departments to coordinate legal, risk management, financial, and auditing resources to contribute to a robust CS program. The goal of these rules is to assist investors in making informed decisions and force companies to revisit their CS processes, encouraging them to make Cybersecurity a board issue rather than an operational “checkmark”. It is everyone’s job to contribute to a safe online environment by implementing MFA, password protection sites, etc. Consumers are able to make better informed decisions about whom they can give their data. This presentation gave me insight into the fact that Cybersecurity is here to stay, and tech is becoming more ingrained into business dealings – these are regulations I will have to address if I own my own business.