Mitnick Security Blog - Cybersecurity News and Articles

New SEC Regulations Regarding Data Breaches

Written by Mitnick Security | Feb 5, 2024 1:29:06 PM

On December 18, 2023, the Securities and Exchange Commission (SEC) introduced new regulations for organizations regarding response procedures in the event of a data breach.

In this blog, we’ll discuss these new regulations and what they could mean for your organization.

 

SEC Cyber Security Risk Management Regulations

Overview of the New SEC Rules

According to the SEC, “The new rules will require registrants to disclose on … any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. … will generally be due four business days after a registrant determines that a cybersecurity incident is material.” 

Before these new SEC regulations were implemented, there were few procedural rules in place for announcing and responding to cyber security incidents, including data breaches. These updated requirements are intended to achieve the following:

  • Increase visibility for customers, investors, and companies.
  • Create a consistent protocol for companies to follow during a cyber security incident.
  • Help prevent cases of reported cyber security incidents from happening again.

Who Do These New SEC Regulations Impact?

While the new SEC regulations impact the entire digital landscape, the following groups will experience the most change in responding to cyber security incidents:

Investors:  Investors will now have better insight into the inner workings of companies and whether their investment will be safe.

Security Teams:  Along with impending process changes, there’s no doubt that there will be increased emphasis on ensuring security frameworks are solid.

Executives:  Execs will need to work alongside CISOs to ensure that processes are in place to comply with these new rules.

 

How You Can Prepare For These SEC Disclosure Rules

Update Your Incident Response Procedures

The first step is to reevaluate your incident response procedures to ensure that they’re compliant with the new SEC rules.

The new SEC rules outline that the following “material” events must be reported during an incident response procedure to maintain compliance, including these examples:

  • Cyber security incidents that negatively affect a company's finances, either directly or indirectly.
  • Cyber security incidents that breach a company's security policies or procedures or expose it to legal liability.
  • Cyber security incidents that affect a company's goods, services, or reputation.

 

After reporting the incident within the required four days, your organization should have the capacity to eradicate and recover from any cyber attack repercussions that occurred. This can put a lot of strain on your internal IT staff without help from cybersecurity professionals.

Ensure Your Systems Are Secure

To prepare your company to take the necessary steps to keep your framework secure, you need a proactive approach to your cyber security.

The best way to accomplish this is to perform consistent cybersecurity testing for your organization. When you work with cyber security experts, ensure you ask about available services, such as:

 

Take The Proper Measures To Avoid a Cyber Attack

Following these steps can help you maintain compliance with SEC rules, as well as protect sensitive data belonging to you and your customers. 

However, these are just the first steps required to consistently maintain compliance and defend your organization from the many repercussions of cyber security threats.

In our 5 ½ Steps to Avoiding Cyber Threats, you’ll also learn:

 

Download your free copy of 5 ½ Steps to Avoiding Cyber Threats today.