Oct 13, 2023
On July 26th, 2023, the SEC dropped a bombshell. It issued its final rule concerning cyber breach disclosure requirements. Along with updates to filing form 10-K, which now requires a detailed breakdown of a company’s cybersecurity program, it created a new timeline for filing form 8-K to disclose a cyber breach after a company determines unauthorized access to sensitive information constitutes a material incident.
Four days. That’s all the SEC is granting companies to come forward and let the public know they’ve been the victim of an information security failure. That’s a tall order even for the largest enterprise corporations. For smaller companies, it’s an absolute nightmare.
The rule goes into effect on December 16th, 2023, so there’s still time to prepare if your business isn’t quite ready to meet the rigorous reporting standards. Companies need to act fast to prepare for the coming changes.
Read on to learn more about the rule changes and how you can prepare.
The New Cyber Breach Policy
The new SEC rule requires two main things. First, publicly traded companies include detailed information on their cybersecurity policies in their annual filing of Form 10-K. Second and more troubling, companies file form 8-K disclosing any unauthorized access no later than four days after the cyber breach is deemed material.
In this case, the SEC uses the standard definition of incident materiality established in the Supreme Court Case TSC Industries v. Northway: Materiality occurs “if there is a substantial likelihood that a reasonable shareholder would consider it important.” If you find that definition somewhat nebulous, you’re not alone.
It’s better to be safe than sorry, so it may be easier to think of it as any data breach in which Personally Identifiable Information (PII), credit card numbers, bank accounts, financial information, email addresses, personal health information, or any other confidential information may have been leaked or stolen.
How Will This Impact Businesses?
Fortunately, this new rule will force businesses to significantly beef up their cybersecurity initiatives to reduce the risk of a data breach.
The additions to Form 10-K will display your company’s cybersecurity plan for the public. It may erode trust in your organization’s ability to keep customers’ sensitive information safe if it’s not thorough enough.
However, the new disclosure requirements when unauthorized users gain access to the data are the real sticking point. With less than an entire business week between discovering a data breach and its disclosure, you will need a data breach recovery plan. Heightened threat detection will also be required to discover and halt malware attacks, phishing attempts, and more before they can do severe damage.
Larger companies may be able to pivot quickly to meet these new requirements by shifting resources around. However, smaller businesses will likely find it difficult to stay compliant if they don’t have easy access to the resources and time needed to prevent major breaches.
For small businesses, the SEC has granted a 180-day deferral once the rule goes into effect on December 16th to get compliant. Companies should use this time to reinforce their cybersecurity policies, acquire cybersecurity insurance, and train their employees on common cyber threats to minimize the chances of a cyber breach.
What You Can Do to Keep Your Data Secure
Preventing a cyberattack from occurring in the first place is the best way to promote information security. After all, there’s nothing to disclose if there’s no cyber breach. Here are a few methods to protect your customers’ data and your business.
Train Employees on What to Watch For
Human error causes most cyberattacks. We recently wrote about how an increase in pharming attacks significantly unprepared businesses. Keeping your employees up-to-date on the latest tactics cyber thieves are using to access your data ensures they’ll recognize when someone is trying to trick them into giving away their login credentials.
It’s also a good idea to announce any current cyber breach attempts, whether phishing, malware attacks, or otherwise, to your employees. Hence, they know what’s happening and how to avoid making mistakes.
Perform a Risk Assessment
Your business is likely vulnerable to cyber breaches you may not be aware of. The digital landscape constantly evolves as threat actors discover new zero-day exploits, perfect phishing scams using generative AI, and more. The first step to creating a comprehensive cybersecurity plan is taking stock of where your organization is currently.
Even if you already have a cybersecurity plan, performing a risk assessment may uncover new weaknesses or, at the very least, give you valuable insights into how your current plan prevents breaches.
Create a Cyber Breach Remediation Plan
If you don’t have one already, a data breach remediation plan is necessary in today’s world of constant cyberattacks. At Blade, our sincerest hope is a solid cybersecurity strategy will prevent you from ever needing to consult a data breach remediation plan. But we also know sometimes attackers can get past even the most rigorous security measures.
While solid security infrastructure and practice significantly mitigate the risk of stolen data, the chance is never zero. A data breach remediation plan helps you get back on your feet faster after an incident. It helps to decrease the potential damage to your company.
Get Cybersecurity Insurance
Like a data breach remediation plan, having cybersecurity insurance is one of those things you hope you never need to use, but it is necessary to have. Cyber insurance can help you recover financially after a major cyberattack. This could include replacing damaged server infrastructure or even liability coverage if confidential information is stolen.
Every policy is different, though, and the rules for qualifying are changing. Suppose you need additional help deciding what sort of cybersecurity insurance is right for you or how to renew your current policy. In that case, Blade Technologies is here to help.
Partner with the Cybersecurity Experts at Blade Technologies
For some businesses with limited resources, there’s only so much they can do to prepare for a potential cyberattack and breach disclosures. Blade Technologies is here to take the cybersecurity worries off your plate so you can get back to doing what you do best: Running your business.
Our managed cybersecurity services help your organization stay on top of the latest vulnerabilities with active threat monitoring, end-point encryption, dark web monitoring, employee training, breach remediation, and other data security measures.
When you partner with the Blade St. Louis cybersecurity experts, you can rest easy knowing you have all your bases covered. We can detect and halt cyber breaches in their tracks to reduce the likelihood of lost or stolen data.
We’re only ever a call or click away!
Contact us today and we’ll work together to get you secure and compliant for the upcoming SEC changes.