Below are answers to the two most critical questions business leaders have been asking about the new
            disclosure rules since implementation:



            There are Two Major Components to Compliance.

            To make compliance as simple as possible for business leaders, it is best for them to focus on the two
            major components of the rule. The first being that public companies are now required to disclose both
            material cybersecurity incidents within 72 hours on new item 1.05 of Form 8-K. This means that public
            businesses  must  have  a  plan  in  place  for  swift  investigation  and  reporting  in  the  hours  following  a
            cybersecurity material incident. Best practices for doing so include assigning a team or task force focused
            on mitigating incidents as they occur, as well as managing the completion of proper documentation in the
            aftermath. This information should also be shared with investors and key stakeholders in a timely and
            consistent manner.

            Secondly,  the  rule  requires  the  reporting  of  material  information  regarding  cybersecurity  risk
            management, strategy, and governance on an annual basis. This reinforces the critical need for creating,
            adapting, and executing formal cybersecurity response plans, led by a dedicated team.



            Reporting Should Cover the What, When & Why.

            So, you had a material incident occur. What do you need to include in your report? This is the question
            that has been top of mind for leaders since the rule was first proposed in March 2022. Thankfully, in
            recent months, the SEC has provided more context to what they are looking for in official incident reports,
            and it’s simpler than you would expect. Basically, your report should cover three questions: what, when
            and why?

            What?

            For starters, public companies must describe the nature, scope, and timing of the material incident, as
            well as the current or likely material impact. A material impact is defined as a consequence that has a
            negative impact on corporate financial position, operation, or customer service. Companies need not get
            too specific in the technicalities of the breach so as not to leave them vulnerable to future cyber incidents.

            When?

            As for the “when,” prior to the rule taking effect, there was a lot of discourse over the expectation of a
            rapid turnaround of reporting following an incident. However, it has since been clarified by the SEC that
            the discovery of a cyber incident is NOT the triggering event for the 72-hour reporting deadline, but rather
            the  determination  that  the  breach  was  a  material  incident.  That  means  that,  following  a  breach,  a
            company can do the proper due diligence of investigating the breach, interviewing staff, and working with
            vendors and third parties to conclude the incident was material before the countdown to disclose begins.
            Exceptions are made and reasonable delays are awarded in situations where companies do not have
            the paperwork or details available to file a report in that time frame.






            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          117
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.