As businesses grapple with the growing complexity of cybersecurity threats, the U.S. Securities and Exchange Commission (SEC) has taken a decisive step towards enhancing investor protection. Through the introduction of new and updated disclosure rules, registrants will be required to report material cyber incidents promptly. These enhanced reporting obligations are part of a broader initiative designed to ensure organizations thoroughly assess, identify, and manage cyber risks while providing better transparency over their risk management strategies.
With the number and severity of cybersecurity incidents on the rise, investors demand more transparency from the companies in which they place their resources and trust. These requirements are fundamentally about being transparent with investors regarding material incidents that could impact their trust level and overall investment strategies.
As from December 15th 2023, public companies as well as foreign private issuers must comply with these impending regulations. Organizations must then:
- Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination. Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant.
- Describe the company’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats.
- Describe the company’s governance of cybersecurity risks.
Armis is here to help holistically implement proactive and reactive capabilities. This facilitates the required calculation of materiality, enabling customers to deliver mature, intelligence-driven programs that align with new mandates and evolving cybersecurity maturity requirements around the globe.
Minimize The Potential For Material Impact
It is essential to proactively manage the highest priority business exposures and identify and respond to threats before an incident becomes material. Here are some key capabilities to look for:
- Continuous visibility into the evolving attack surface and the attack paths with the greatest potential and likelihood to impact the business.
- Identify and block active threats with the potential for impact at the earliest phase of an attack and facilitate real-time responses, whether automated or manual.
- Distribute the highest priority risk mitigation and vulnerability remediation responsibilities to the appropriate teams and owners.
- Track progress on the highest priority mitigation and remediation efforts and report on and escalate to the right owners with the relevant business context.
- Proactively track, manage, and report on MITRE ATT&CK control implementations and gaps as well as corresponding compliance framework mandates.
Manage, Track, and Facilitate Incident Impact Qualification
In the event of an incident, the incident timeline will need to be mapped to understand the full extent of the assets and corresponding business elements impacted. Reconstructing the timeline comes with the following requirements:
- Identify which assets have been or are likely to be impacted by a confirmed incident.
- Identify business locations, capabilities, user bases, etc. impacted by the incident.
- Extend context through integrations (e.g. data hosted / processed by systems).
- Confirm containment success and recovery success efforts and map the timeline events from discovery and validation to containment and recovery.
- Confirm and export incident context in support of materiality assessments.
Is Your Organization Prepared?
With the new SEC rules, companies must do their part to ensure that they have adequate security measures in place. Armis can help organizations to protect their entire attack surface and manage organizational cyber risk exposure before, during and after an incident. With the deadline approaching fast, now is the time to make proactive decisions when it comes to cybersecurity!
Contact us today and be ready for the enhanced U.S. SEC reporting obligations.
Share this Article
Get Updates
Sign up to receive the latest from Armis.