Companies are already feeling the pressure from upcoming US SEC cyber rules
On August 14, 2023, bleach and cleaning product giant Clorox filed a form 8-K with the Securities and Exchange Commission, notifying the financial regulator that it had experienced a cybersecurity incident that had disrupted the company’s business operations.
A month later, the company filed another 8-K saying that the damage to its IT infrastructure from what it characterized as unauthorized activity was still wreaking havoc on its production systems, causing processing delays and an elevated level of product outages, all of which would have a material effect on its quarterly financials. The company said it would produce an updated financial impact of the incident once it had increased visibility.
Clorox’s SEC filings were the first reports of a material cyber incident following the SEC’s release of its new cyber incident reporting rules in late July. Under the new SEC rules, which don’t take effect until December 18, 2023, publicly traded companies will be required to:
- Disclose within four days any cybersecurity incident they determine to be material and describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- Describe their processes for identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Even though the rules don’t kick in until December, the Clorox incident highlights what experts say is a new sense of urgency by SEC-regulated companies to report data breaches. Moreover, they say that once the new rules take effect, companies will need closer working relationships between CISOs and the upper echelons of management to determine the financial materiality of the incidents.
Companies already feeling the heat from the upcoming regulations
“What I take out of the Clorox incident is interesting in that companies are starting to feel already the pressure of regulation from the SEC’s new rules, and they feel the need to promptly disclose that they have an incident that might be material,” Nick Sanna President of the FAIR Institute and President of the cyber risk quantification firm, SAFE, tells CSO.
“But it is also notable that it is absent of indication of the size of the materiality,” he adds. “And so, we don’t know exactly what it translates to in potential financial impact. I’ve heard about other companies that are now accelerating their investigation into how they respond to this question of materiality.”
First off I would like to say wonderful blog! I had a quick question that I’d like to ask if you do not mind. I was curious to know how you center yourself and clear your thoughts prior to writing. I’ve had a tough time clearing my thoughts in getting my thoughts out there. I do take pleasure in writing however it just seems like the first 10 to 15 minutes are generally lost just trying to figure out how to begin. Any suggestions or tips? Thanks!
try to go to nature, take a little alcohol and sit by the campfire – it will help
Hm…I think first you just need to relax…understand what exactly you want to convey and the right words will flow by themselves…the main thing is to give them free rein.