On July 26, 2023, the SEC issued a rule necessitating public companies to provide improved disclosures regarding "cybersecurity risk management, strategy, governance, and incidents."
This rule comprises 3 key elements:
Immediate Disclosure of Material Cybersecurity Incidents: Registrants must reveal material cybersecurity incidents, including their nature, scope, timing, and impact, within 4 business days of determining their significance. This disclosure aligns with the new Item 1.05 of Form 8-K.
Annual Reporting on Cybersecurity Threat Management: Registrants must outline processes for evaluating and handling cybersecurity threat risks in S-K Item 106 of their Form 10-K and must also detail their board's oversight of cybersecurity threats and management's role in addressing such threats.
Foreign Private Issuer Compliance: Foreign private issuers need to amend Form 6-K and now disclose material cybersecurity incidents. Moreover, they must provide information about cybersecurity risk management, strategy, and governance in their annual Form 20-F.
Here are 4 ways information governance (IG) practices aid compliance:
1. Effective Data Classification and Inventory
To accurately disclose cybersecurity incidents, companies must grasp their data. Implement a classification system to categorize data by sensitivity. This helps identify risks and ascertain incident materiality.
2. Corporate IG Sponsorship and Board Oversight
Allocate resources for IG and establish a board committee for cybersecurity oversight. This ensures proper tools and structures are in place to identify crucial information on threats.
3. Training: Training is crucial. Employees require guidance not only on retention schedules but also on effectively using tools like OnBase to access cybersecurity-related data.
4. Communication Channels: Establish clear communication channels across teams to promptly share incident information. Open lines of communication assist in gauging incident impact.
By grasping data, performing risk assessments, fostering governance, training staff, and facilitating transparent communication, businesses can bolster cybersecurity, manage risks, and fulfill regulatory duties confidently. 💼🔐