The United States Securities and Exchange Commission (SEC) has revised and released cybersecurity guidance for publicly traded companies. The goal of the revised guidance is to assist public companies in preparing for and responding to cybersecurity risks and incidents. By providing their views on these matters, the SEC is hoping to promote greater visibility in regards to cybersecurity related issues and disclosure of information to individuals impacted by these issues.
More directly, the newly released guidance focuses on two (2) key areas:
1.) Public companies are required to implement policies and procedures defining the disclosure of cybersecurity risks and incidents in a timely fashion to their investors. The SEC states that the development of effective disclosure controls and procedures will be best achieved if the employees who are responsible for overseeing such controls and procedures are informed about the inherent risks that their operations and technologies pose. Specifically, directors, officers, and other senior management must ensure that their oversight includes an understanding of cybersecurity risks and appropriate risk mitigation techniques. The SEC notes that it may be necessary for companies to look outside current senior management to obtain the necessary cybersecurity expertise.
2.) Companies will need to refine their insider trading policies, given the suspicious trading that occurred during the Equifax breach. A key takeaway from this section of the guidance is the SEC putting companies on notice that, while each breach is different, an “ongoing investigation” alone is not sufficient cause to delay breach notifications.
As cybersecurity, reliance upon technology, and the corresponding threat landscape continue to evolve, the SEC will continue to refine its cybersecurity guidance. For any questions regarding the newly updated guidance and how it could impact your business, please contact a certified GraVoc Information Security specialist.
The full SEC published guidance is available here: https://www.sec.gov/rules/interp/2018/33-10459.pdf
Related articles
Change Healthcare Attack: Ransomware Protection Measures for Healthcare Organizations
In light of the Change Healthcare attack, we explore why hackers target healthcare and how healthcare can defend against ransomware.
GraVoc Recognized on CRN MSP 500 List for Second Year in a Row
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
PCI SAQ Types: Which SAQ is Right for Your Business?
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.