SEC’s cyber rules soon in play – brace for turbulence.

December 14, 2023
1 min read
  • Contentious cybersecurity regulations issued by the U.S. Securities and Exchange Commission (SEC) are coming into effect, requiring public firms to disclose cybersecurity incidents and risk management processes.
  • The Department of Justice (DOJ) provided guidelines on how companies could seek exemptions on immediately reporting substantial cyber incidents if doing so would harm national security.
  • The cybersecurity firm CrowdStrike and consulting firm Deloitte are advising companies on the challenging aspects of preparing for these new regulations.

The SEC regulations, which have received criticism from industry groups and Republicans, require all public companies to report significant cyber incidents to the SEC within four days of their occurrence from December 18. These rules aim to protect potential investors. In their annual reports to the SEC, these companies are also now required to detail their strategies for evaluating and managing cyberthreats. Firms are finding it challenging to determine when an incident is “material,” i.e., meaningful to investors.

The DOJ’s guidelines on data reporting exemptions are also noteworthy. Companies can seek these exemptions if the cyber threat isn’t widely understood and could lead to more threats, if the victim handles sensitive government information, if disclosing the attack could hinder remediation of a critical infrastructure attack, and if revealing the threat could expose sensitive details about government efforts to battle it.

Experts believe that their guidance committee or council will play a crucial role in successfully navigating these rules. This council should include representatives from the legal, business, and technical aspects of the company and should have the capability to respond quickly to cyber incidents. In terms of compliance, most organizations will likely play catch-up when figuring out the initial structure, making the transition a potentially bumpy one.

The rules come into effect after a spike in activity from a Chinese state-sponsored hacking group known as “the KV-botnet” that threatens commercial and home security cameras. The KV-botnet uses end-of-life products from major US manufacturers, like Cisco and Netgear, to hide its activities. Its activities have generated concerns about the risks posed to critical US infrastructure.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.