编者按: 以下是Hyperproof赞助的一篇博文:
这是一项期待已久的声明:美国政府将在明年宣布退出欧盟.S. Securities and Exchange Commission (SEC) has finally adopted its proposed cybersecurity disclosure requirements after over a year of delays. These disclosure requirements are going to significantly change the way companies operate, 这就留下了许多网络安全问题, risk management and compliance management professionals with a lot of questions. 让我们来回答他们.
什么变化?
The new rules will require registrants to disclose on the 新项目1.表格8-K的05 any cybersecurity incident they determine to be material. Registrants must also describe the material aspects of the incident's nature, scope, 和时间, as well as its material impact or likely material impact on the registrant.
How long do registrants have to disclose a material incident?
Companies must disclose a material cybersecurity incident 四天内 认识到它对投资者的重大影响. The timing here is important, as it doesn’t come into effect from the 违约的发生, but when a company’s legal team classifies it as material. This timeline allows for potential delays in reporting incidents, provided the company obtains written approval from the U.S. Attorney General under special circumstances related to public safety or national security.
为什么只有四天?
The SEC believes this tighter deadline will help protect investors from the financial risks posed by cybersecurity incidents by giving them more timely data on the impact of material cybersecurity incidents. 在特定情况下, the disclosure may be delayed for national security reasons or to safeguard police investigations. 另外, companies won’t be penalized if they don’t report an incident and have a reasonable basis for believing that the incident is not material.
What exactly qualifies as a “material cybersecurity incident?”
A material cybersecurity incident is one that is likely to have a significant impact on the company’s business, 财务状况或经营. 漏洞也在增加:超防漏洞 2023 IT合规和风险基准报告 found that 1 in 2 companies managing risk ad-hoc or in siloed departments experienced a material breach in 2022.
我到底需要透露什么?
In the case of a material cybersecurity incident, companies must disclose the following:
- 事件的性质
- 事件的影响
- 为解决这一事件而采取的措施
- The company’s policies and procedures for managing cyber risks
Companies also need to disclose which strategies they use for handling cybersecurity risks, 包括:
- Describing processes for assessing and managing material risks from digital threats
- Detailing the effects of previous cybersecurity incidents and potential future risks
- Discussing board oversight and management’s role and expertise in handling cybersecurity risks
另外, public companies must disclose information about how their board oversees cybersecurity risk, including information on how experienced the board is with understanding cybersecurity. The regulations apply to both domestic and foreign private issuers, requiring similar disclosures on different forms for material cybersecurity incidents and for cybersecurity risk management.
这些变化什么时候生效?
The final requirements went into effect on 5 September 2023. CISOs and board members should start preparing now to ensure their companies are in compliance with the new rules. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after 15 December 2023.
The Form 8-K and Form 6-K disclosures will be due on 18 December 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
这对我的生意有什么影响?
Public companies will have to change a lot of their processes to adhere to these new requirements, including carefully evaluating the information they disclose about cybersecurity incidents. 那些不遵守规定的公司可能会面临投资者诉讼, 美国证券交易委员会的执法行动和声誉损害.
那么,你该如何准备呢? First, you’ll need to educate your board members quickly about cybersecurity risk. SaaS平台 Hyperproof can be leveraged to help with this process so your board understands your risk posture and how risk is mitigated at your company. Your board should also have complete visibility into your company’s controls and how they are linked to your risks, as well as fast and easy reporting to understand where you stand at a glance. 最终,首席信息安全官和董事会成员将需要参与进来 much closer contact moving forward, which brings its positives and negatives. But one upside is that CISOs will now have a bigger seat at the boardroom table to showcase the importance of their work.
作者简介: Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, 重点关注政策, social, and economic effects of cybersecurity lapses to individuals, companies, 这个国家.
