We’re now in 2024, and with it comes a new set of challenges that today’s security leaders must face. High on the list: the Security and Exchange Commission’s (SECs) new cyber rules that went into effect December 18 that require public companies to report a “material” breach within four days.
Despite being initially announced last July, security teams say achieving compliance isn’t clear cut, leaving many organizations grappling with how to do so effectively.
Many security organizations say they find determining materiality thresholds a big challenge. Many point out that quantifying what makes an incident “material” is not always black and white.
It’s difficult to standardize because materiality thresholds vary from company to company. An incident resulting in $X financial loss might qualify as material for one type of company, but not another. Without a concrete definition of a “material” impact on operations, revenues, or stock price, security pros are concerned that the rule can feel somewhat arbitrary and may lead to some material breaches going unreported.
Companies need to make their own determination around what’s considered material, and they…
