As the Security and Exchange Commission (SEC) gets tough on businesses’ cybersecurity posture, IT security leaders will need to beef up incident response plans—a notable challenge for organizations currently lacking in this area.

As of December 18, 2023, publicly traded organizations must begin complying with the SEC disclosure regulations unveiled in July, which mandate disclosure of “material” threat incidents within four days.

The rules also require annual reporting on cybersecurity risk management, strategy and governance, all established to strengthen transparency for investors and regulators alike.

The four-day requirement, while controversial in the cybersecurity industry, is consistent with other material reporting requirements by the SEC, which include definitive agreements, bankruptcy and so on.

Dave Gerry, CEO at Bugcrowd, explained that this is an important point as it provides more time for organizations to truly understand the materiality and impact of the incident prior to disclosing it.

“As organizations look to comply, a comprehensive incident response process will be required to ensure that they can identify the materiality of an event, understand the potential business impact and begin to mitigate the incident as quickly as possible,” he said.

He added that while the SEC is creating rules around disclosure, it is still up to individual organizations to ensure their cybersecurity defense strategies are sufficient to manage their risk.

“The new disclosure rules should help to solidify that boards and management teams have an obligation to shareholders, institutional investors, and regulators around the state of their cyber security practices,” Gerry noted.

While many organizations have adopted vigorous cybersecurity processes and policies, this additional disclosure requirement coming from the SEC should lead to more robust practices overall.

“As hackers continue to play a vital role for businesses looking to deploy security solutions, increased regulatory action will continue to offer more opportunities to do so,” he said.

Gerry warned that in practice, the SEC requirement is likely to prove “very challenging” for organizations that do not have a comprehensive incident response plan in place.

“The spirit of the requirement is correct in forcing organizations to responsibly disclose security incidents, but could prove challenging to comply with,” he said. “Tight collaboration to quickly define materiality is going to be critical to complying.”

From his perspective, organizations must proactively develop processes to comply, ensure they run regular training and tabletop exercises and have strong collaboration inside their organization.

This includes legal, PR, investor relations, product development, cybersecurity and back office teams.

Claude Mandy, chief evangelist, data security at Symmetry Systems, pointed out that organizations have already invested or are investing in measures to determine the potential materiality of an incident.

“Newer technologies like data security posture management and data detection and response hold promise in reducing delays in gathering evidence,” he said. “The reliance on self-determination places a unique burden to methodically prove how they determined an incident to be non-material.”

This means organizations must be able to swiftly determine the potential impact of a breach, even from the compromise of a single account.

“Adhering to the rule requires organizations to have proactively defined and documented their policies and practices for determining materiality, considering both quantitative and qualitative measures,” Mandy said.

Joseph Carson, chief security scientist and advisory CISO at Delinea, agreed that organizations must now be more proactive in determining the material impact of cybersecurity incidents to the business rather than discovering this later in the courts.

“While the definition is quite vague, most organizations can be quick to determine if a cybersecurity incident has a material impact on the business, as not all incidents are equal,” he said.

While most organizations have a significant amount of cybersecurity incidents every day, they will need to now ensure they clearly classify incidents that have a material impact.

He noted that cybersecurity is no longer just an IT or technical issue, but it has quickly developed into a business issue as more businesses are heavily dependent on their digital services.

“When they are unavailable, the business will experience a material impact, so cybersecurity has now become an essential part of the business’ resiliency,” Carson said.