Public companies must disclose to shareholders “material” cybersecurity breaches within four business days of determining important information may have been accessed, according to U.S. Securities and Exchange Commission (SEC) final rules announced July 26 and published in the Aug. 4 Federal Register. We’ve gathered articles on the news from SHRM Online and other media outlets.
What’s a Material Incident?
Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision. The SEC gave examples of a material impact on a company: harm to a company’s reputation, customer or vendor relationships, or competitiveness; and the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities.
Requirement Streamlined
In the Federal Register publication of the rules, the SEC said it was streamlining the requirement to focus the disclosure primarily on the impacts of a material incident, rather than on requiring details regarding the incident itself. The company must describe the material aspects of the nature, scope and timing of the incident and the material impact on the company, including its financial condition.
Annual Disclosure Requirement
The SEC rules also require public companies to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
Be Able to Mobilize Quickly
How can a company satisfy the four-day rule? Prepare crisis management leaders to have the “ability to very quickly mobilize as an executive leadership team to share information and do that in a seamless way,” according to Courtney Adante, president of security risk advisory at Teneo, a global CEO advisory firm, in Miami Beach, Fla. “And not only ensuring that they have those incident response and crisis management frameworks in place, but test them out now.”
(Fortune)
HR Plays Crucial Role in Response to Cyberattacks
Common wisdom holds that when organizations are hit by a cyberattack, the ensuing response should be led by information technology, security, legal and finance staff, with human resources taking a back seat. But cybersecurity experts say HR’s communication skills, key role as the bridge between leadership and employees, and knowledge of sensitive worker data should make it an integral rather than a peripheral member of any incident response team.
State Law Requirements on Breach Notification to Employees
Most states require employers to notify employees when defined categories or personal information, including Social Security numbers, are acquired by unauthorized parties. For multistate employers, the multitude of breach notification laws complicates the employer’s response to a security breach because common practice calls for compliance with the breach notification law of each state where affected individuals reside.
