The Securities and Exchange Commission has introduced new rules requiring public companies to disclose “material” security incidents within four business days. After an incident is discovered, companies must determine its materiality as quickly as possible, then report it if applicable on Form 8-K.
When the SEC proposed the new rules, companies argued that four days did not allow enough time to gather the necessary information. Nevertheless, the rules became effective on Sept. 5, 2023. All material security incidents must be disclosed as of Dec. 18, 2023. Smaller reporting companies have until June 15, 2024, to comply.
Most public companies rely on smaller organizations throughout their supply chains. A security incident at any point in that chain could have a material impact on the public company. Therefore, organizations of all sizes should familiarize themselves with the new rules and implement an incident management strategy.
Overview of the New SEC Rules
The new rules have three key components:
- Broad Definition of Security Incident. A security incident is any “unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” This includes system disruptions in which no data is compromised.
- Materiality Standard. The new rules have the same materiality standard as other 8-K disclosures. In essence, companies must report any security incident that an investor would consider important.
- Reporting Requirements. The report must describe the incident and indicate the scope. It must also include the date the incident was discovered, whether any data was accessed, stolen or used, whether it has been remediated, and the impact on the company’s operations.
Developing an Incident Management Plan
An incident management plan should establish clear procedures for addressing pre- and post-incident activities. According to the SANS Institute, all plans should include six key steps:
- Preparation: This is perhaps the most crucial step because it establishes the foundation for the entire incident response process. Organizations should conduct a thorough risk assessment to identify potential vulnerabilities and attack vectors. They should also establish an incident response team to coordinate all planning and communications.
- Identification: This step establishes the tools and processes to detect breaches and launch a quick, focused response. Identifying a security incident will involve gathering information from various sources, such as log files, firewalls and intrusion detection systems. The goal is to determine whether the unusual activity is a security incident or a normal deviation.
- Containment: This phase aims to contain damage as quickly as possible to prevent further problems. It could involve segregating a network segment to isolate infected workstations or taking down infected servers and rerouting traffic to failover servers. This process is not intended to be a long-term solution but a short-term mitigation action.
- Eradication: This phase involves neutralizing the threat and restoring internal systems to as close to their previous state as possible. It could require a complete reimage of a system or a restore from a known good backup.
- Recovery: This is the process of bringing affected systems back into the production environment. The security team must validate that affected systems are no longer compromised to ensure there won’t be another incident.
- Lessons Learned: Finally, the team must document the incident to provide a knowledge base that can be used to thwart future incidents. Additionally, the incident response team and other stakeholders should meet to evaluate the effectiveness of the response and determine if policies and procedures require updates or improvements.
How Technologent Can Help
Technologent has extensive experience in the development and implementation of security incident management plans as part of our comprehensive suite of cybersecurity programs. Let us help you comply with the new SEC rules or meet the requirements of your larger supply chain partners.
January 3, 2024