The US Securities and Exchange Commission (SEC) has proposed new rules for organizations that are designed to aid in breach transparency around cyber incidents. They have proposed that listed companies must disclose a “material cybersecurity incident” within four business days of discovery. Most states have policies in place regarding this, but they do not extend to incidents that do not include Personably Identifiable Information (PII). This move comes from the SEC as they stated that changes needed to be made that were in the interest of company investors. They also proposed that companies must provide updates to previous incidents and to disclose when “a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.” Organizations will also be required to list board members with cybersecurity experience and begin to publicly describe their policies for handling cybersecurity related events.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased