One Year Later: CISOs Still Struggle with SEC Rule Confusion
The confusion around reporting cybersecurity breaches to the US Securities and Exchange Commission (SEC) continues to cause headaches for companies, even a year after the revised rules came into effect. As the SEC tightens its grip on enforcing disclosure and compliance, CISOs and senior executives are feeling the pressure to quickly assess and report breaches that are deemed material.
Joe Shusko, a partner at Baker Tilly’s cybersecurity practice, notes that companies often run into trouble with the SEC when they fail to disclose cybersecurity incidents promptly. Understanding what is considered material can be tricky, and companies are finding themselves needing to adapt to stay compliant with the SEC’s regulations.
Shusko emphasizes the importance of collaboration between senior security staff, business operations, legal counsel, and external forensics as part of a disclosure committee to determine materiality. This approach helps ensure that any necessary disclosures are made in a timely and accurate manner.
The SEC has been actively enforcing its regulations, with over 200 enforcement actions, a quarter of which relate to cybersecurity incidents since gaining such authority in 2015. Recent charges against companies for misleading investors about cybersecurity attacks highlight the agency’s commitment to holding organizations accountable for failing to disclose material incidents.
To stay on the right side of the SEC’s requirements, companies must invest in developing clear strategies and fostering collaboration across departments to navigate the evolving landscape of cybersecurity breach reporting and compliance.
