The SEC’s cybersecurity disclosure rules recently turned one year old, but many organizations still have questions about compliance. Bill McLaughlin, president of Thrive, a managed services provider, explores some of the lingering issues.
It has been about a year since the SEC enacted its cybersecurity disclosure mandate, which requires the disclosure of any material cybersecurity breach on form 8-K, item 1.05, as well as cybersecurity-specific additions to companies’ annual 10-K filing.
Companies may still be grappling with questions surrounding the new rules and processes needed to meet the SEC’s requirements.
4-day deadline
A form 8-K must be filed within four business days after a cybersecurity event occurs, starting the first business day after the event has been identified (also called Day One). Companies should take note of the language here: it is four days after the event has been identified, not after the incident has happened. That nuance and the narrow window of time can bring a company into compliance or render it out of compliance.
However, and as many companies note, four days may not be long enough to determine if a cybersecurity incident occurred, much less if it is deemed “material” or not. The mandatory 8-K and ongoing reporting document any breach’s cause, resolution(s)…