The SEC enacted a new rule in December 2023 requiring publicly traded companies to disclose “material” cybersecurity incidents. In our recent webinar, “Now What? When Cybersecurity Disclosure Rules Widen the Gap Between Reputation and Risk”, Axonius CISO Lenny Zeltser and Playtika CISO Liran Sheinbox explore what the new SEC rule means for cybersecurity professionals and why having a solid cybersecurity foundation is key to evaluating if and when cyber incidents become material.
How the new rules are changing the way we approach cybersecurity
For the first time, the SEC is defining a clear standard for reporting cybersecurity incidents – and experts believe that this will have a positive effect across the industry. This change will allow us to normalize the occurrence of incidents, learn from public disclosures, and gain valuable insight.
“By forcing companies to disclose material security incidents, it will allow us to de-stigmatize the notion that a security incident happened. Every company, even one with a very strong security posture, will have security incidents,” says Zeltser.
By holding companies accountable, regulations like this new SEC disclosure rule also give leaders the opportunity to shift how they embrace security as a whole. This could mean hiring more senior security leaders, giving existing leaders more tools to succeed, or taking steps to establish a stronger security culture from within. Sheinbox shared how the Playtika security team cultivated a more security-conscious environment by building a strong community of trusted security champions and incentivizing them to evangelize this culture throughout the organization. The new SEC rule means that organizations will be similarly zeroing in on cybersecurity policies and procedures – especially when it comes to incident response.
Why having an incident response plan in place matters
Now that the new SEC disclosure rule has gone into effect, prioritizing clear processes and communication is crucial. Every incident report needs to be reviewed by legal and finance teams because the threshold of materiality is not determined by a CISO alone, it’s a joint decision. The time to align with legal and finance teams and formalize incident response procedures is now – not when an incident has occurred or been deemed material.
Building a clear incident response plan and documenting every step is key to effective recovery. It’s important to have a well-defined process that’s clearly understood by everyone involved with responding to or investigating the security incident – and that the process is executed properly. Our incident response template can help you create a specific process and a checklist that keeps things streamlined during a high-pressure situation. And since having everyone on the same page when it comes to incident response terminology is crucial, we defined common terms in this blog post. Preparing for these scenarios before they occur will help everything run more smoothly as you follow the new SEC regulations.
Hoping to gain even more insight on the impacts this new rule might have? Watch the webinar replay to hear more about how responsibilities and expectations are shifting for CISOs and why it’s so important to build trust throughout the entire organization.
