5 THINGS YOU CAN DO NOW TO PREPARE FOR THE PROPOSED SEC CYBERSECURITY RULE
Have you read the Proposed SEC Cybersecurity rule (links below)?
Here are the 5 things you can do NOW to prepare for the proposed sec cybersecurity rule anticipated around April 2023.
Get Familiar with SEC Reporting Requirements and the Upcoming Changes
Start building or augmenting current plan(s) to a Cybersecurity Board-Level Risk-Driven Strategy
Begin formalizing your Cybersecurity preparation/enhancements
Document your Cybersecurity Management
Begin a hunt for a Cybersecurity Board Member
As a preliminary step, get familiar with the types of documents and forms that are used for SEC reporting. Many cybersecurity professionals are not business trained so now is the time to get some exposure. This is the list of items that are being amended or added according to the proposed ruling so we are recommending starting here:
If you are the head of a security team and the responsibility falls on you to get ready, follow these five steps and you will be able to develop the needed acumen along with appropriate Cybersecurity plans.
Step 1) Get Familiar with SEC Reporting Requirements and the Upcoming Changes
Learn how to read an 8-K. An 8-K is a report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or the Securities and Exchange Commission (SEC). Also known as a Form 8K, the report notifies the public of events, including acquisitions, bankruptcy, the resignation of directors, or changes in the fiscal year. Form 8-K is being amended to add Item 1.05 to require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident:
Here is an explanation of how to read an 8-K (https://www.sec.gov/files/readan8k.pdf)
Here is an example 8-K focused on a Cybersecurity incident (https://www.sec.gov/Archives/edgar/data/0000808450/000119312521183688/d13020d8k.htm)
These are samples of the types of Cybersecurity incidents that may require disclosure (non-exclusive list) according to the proposed rule:
An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data
An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of ope