On July 26, 2023, the Securities and Exchange Commission (SEC) unveiled its final regulation concerning Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (PDF). This rule was developed to address concerns regarding the accessibility of prompt and consistent information regarding cybersecurity for investors. The escalating and persistent threat of cybersecurity incidents to public companies, investors, and market participants is one of the main concerns that led to the enacting of these new rules.
The final rules represent a significant step forward in the SEC’s cybersecurity incident disclosure requirements. Here are six key points you should know:
The newly established Form 8-K Item 1.05 mandates registrants to divulge any significant cybersecurity incident they determine to be material. This disclosure entails outlining the pertinent facts concerning the incident’s nature, extent, and timeline, alongside its substantial ramifications or reasonably anticipated significant consequences on the registrant.
Registrants are required to promptly assess the significance of an incident upon discovery. If it is deemed significant, they should submit an Item 1.05 Form 8-K within a standard period of four business days from the moment of determination.
In cases where the United States Attorney General concludes that immediate disclosure would potentially jeopardize national security or public safety, and communicates this decision in writing to the Commission, the disclosure process might be postponed. If the Attorney General recommends further delay, the Commission will assess subsequent requests for extension and has the authority to provide relief through potential exemptive orders.
The regulation S-K Item 106 mandates registrants to outline their procedures, if applicable, for evaluating, recognizing, and controlling substantial risks stemming from cybersecurity vulnerabilities. Additionally, registrants must detail whether any risks arising from cybersecurity vulnerabilities, including those resulting from prior cybersecurity incidents, have had a substantial impact or have the potential to significantly influence the registrant.
Item 106 will also necessitate registrants to clarify the supervision of cybersecurity threat risks by the board of directors, along with the role and proficiency of management in evaluating and handling substantial risks originating from cybersecurity threats.
Amendments to Form 6-K will stipulate that foreign private issuers must provide details about significant cybersecurity incidents that they publicly disclose or are obligated to disclose within a foreign jurisdiction, whether to a stock exchange or security holders. Additionally, Form 20-F will undergo changes, compelling foreign private issuers to offer regular disclosures that mirror the requirements outlined in the novel Regulation S-K Item 106.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register.
Though many of the rules address what a company should do once they have detected a materially significant breach or incident, as per regulation S-K Item 106, registrants are also mandated to disclose procedures used to evaluate, recognize, and control risks. This is where Pathlock can enable you to implement a robust security, risk, and compliance framework at the application level. Pathlock offers a range of modules you can deploy based on your specific security needs and risk mitigation requirements across applications.
Pathlock enables you to govern access across multiple applications using a single interface. Our Certifications module allows you to view every single access a user has across your various applications, along with role usage history. Coupled with our Separation of Duties (SoD) capabilities, you can immediately identify users with conflicting roles. We also offer a cross-application Provisioning module that allows you to customize approval workflows, and SoD checks are built into the provisioning process to prevent new risks from emerging.
Pathlock enables you to implement attribute-based access controls that make access context-aware by enforcing rulesets that meet globally recognized compliance requirements. Using contextual access data, Pathlock allows you to mask sensitive data and implement in-line Multi-factor Authentication. These controls can be triggered at the page, field, and transaction level to meet privacy regulations, restrict data access, and monitor sensitive data access and transactions.
Whether it’s SoD, data security, or financial regulations like SOX, Pathlock offers the most comprehensive repository of rulesets for leading ERP and business applications. These rulesets have been built using globally recognized standards that you can implement at the click of a button. Our customers can also customize rulesets based on their unique business needs.
Pathlock solutions are built with audit and compliance requirements in mind. When it comes to key compliance-related processes like provisioning, access certifications, and controls monitoring, our solutions maintain comprehensive logs of user access, changes to data, approvals, mitigations, and transactions. This enables you to continuously monitor user activity, detect suspicious behavior, and maintain an audit trail. Our cross-application, fine-grained visibility provides you with a complete view of SoD risks, even in a SaaS and on-premise hybrid environment, making it simpler to generate reports and share them with your board of directors.
The SEC’s recent rules emphasize the crucial role of transparent cybersecurity incident disclosure. These guidelines demand not only timely reporting but also strong risk management. As these regulations evolve, solutions like Pathlock become indispensable, helping businesses meet disclosure standards and bolster their cyber defenses.
Pathlock enables you to monitor your applications continuously, detect risks, and implement controls that eliminate or mitigate those risks and enhance compliance across applications. Furthermore, our compliant rulesets and audit documentation provide senior management with the assurance they need to report on their risk mitigation and security measures in their annual reports.
Get in touch with us to learn more about how Pathlock can help you successfully meet your security and compliance goals.
Share
Managing user identities and access privileges across multi...
As organizations transition to modern, cloud-centric enviro...
When it comes to granting access, following the principle o...
In today's dynamic business environments, maintaining secur...