What the SEC and SolarWinds are Saying to CISOs

In short, the pressure on CISOs to proactively manage and report incidents has reached a tipping point. In July, the SEC (Securities & Exchange Commission) approved a long-awaited cybersecurity framework for public companies, mandating the public disclosure of significant cyber incidents. The decision entails new regulations compelling publicly traded firms to report “material” cyber events within four business days through a public 8-K filing. Additionally, companies are required to divulge details about their overall cybersecurity strategies in an annual 10-K filing.

Companies are expected to start complying with the 8-K requirements within 90 days of publication in the Federal Register or by December 18, whichever is later. The new 10-K requirements become effective for fiscal years ending on or after December 15.

As if to add emphasis to the new rules, in October the SEC took legal action by filing fraud charges against software company SolarWinds and its CISO for allegedly presenting deceptive and untrue statements regarding the company’s cybersecurity risks and practices spanning from October 2018 to at least January 12, 2021. The SEC has chosen to charge the CISO with fraud, a decision likely to raise concerns about liability among the CISO community.

The new regulatory development follows over a year of SEC deliberations, during which feedback from cybersecurity professionals, companies, and stakeholders was collected. The finalized rules reflect considerations of public concerns, establishing a standardized approach for public companies to report specific cyber incidents to investors and shareholders.

Under these SEC rules, companies must report a cyber incident within four business days via an 8-K filing when it is determined to have a material impact. Previously, the reporting of such incidents was inconsistent, with varying levels of detail in 8-K disclosures. The new rules aim to bring consistency to cybersecurity disclosures and align reporting practices across companies Notably, companies are required to disclose in annual reports who on their management team oversees cybersecurity efforts and detail any board committees addressing cybersecurity issues.

Companies, depending on their size, public or private ownership, and existing cybersecurity investments, may need to make varying degrees of preparation for compliance with these rules.

Secuvy gives customers full data visibility, enabling the discovery of ALL sensitive data assets, including dark and unstructured data within hours. Secuvy’s trailblazing advanced unsupervised machine learning algorithms put full data visibility at your fingertips resulting in renewed data agility and risk management.