July 31, 2023
In today’s rapidly evolving digital landscape, the surge in cybersecurity incidents poses a significant risk to companies’ financial stability. Shockingly, more than 80% of businesses¹ have fallen victim to hacking attempts, resulting in record-breaking data breach costs, averaging a staggering $9.48 million in the United States².
To address the severity of these cyber risks and their potential impact on the economy, investors now demand greater transparency from public companies concerning their cybersecurity practices. In response, the Securities and Exchange Commission (SEC) has taken decisive action by announcing the adoption of sweeping new disclosure rules that mandate registrants to disclose material cybersecurity incidents and provide annual information on their cybersecurity risk management, strategy, and governance.
The new rules will go into effect starting in December. In this blog, we’ll delve into the key changes brought about by the new rules and discuss how your organization can prepare for the upcoming disclosures.
Disclosure of Material Cybersecurity Incidents
Under the new rules, registrants must disclose any material cybersecurity incident they experience on the newly introduced Item 1.05 of Form 8-K. This disclosure must include a description of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact. The disclosure must be made within four business days after determining that the cybersecurity incident is material, unless the U.S. Attorney General deems that disclosure poses a substantial risk to national security.
Disclosure of Cybersecurity Processes
The updated regulations also introduce Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks arising from cybersecurity threats. Additionally, registrants must disclose the material effects or reasonably likely material effects of risks from cybersecurity threats and any previous cybersecurity incidents.
Disclosure of Board of Directors’ Oversight
Item 106 also necessitates registrants to provide details about the board of directors’ oversight of cybersecurity risks and the role and expertise of management in assessing and managing material cybersecurity risks. These disclosures will be required in the annual report on Form 10-K.
Similar Requirements for Foreign Private Issuers
Foreign private issuers are not exempt from these new rules. They are required to make comparable disclosures on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Building a Foundation of Sensitive Data Governance
To meet these new disclosure requirements effectively, organizations must establish a comprehensive program of sensitive data governance. In today’s information-driven economy, companies continuously collect, manage, and utilize personal and confidential data as part of their daily operations. However, this sensitive data also exposes organizations to inherent risks, such as data breaches and non-compliance with data privacy regulations, which can significantly impact their viability.
Step One: Understand What Sensitive Data You Have
To protect your data, you must first identify and locate sensitive information across your organization. Often, security teams discover “dark data” hidden in unexpected places, including forgotten file servers, cloud-based repositories, applications, emails, and employee laptops. Without a comprehensive and always-current understanding of your data, it is challenging to confidently protect and mitigate risks for your organization.
Automated Sensitive Data Discovery Technologies Deliver This Understanding
Sensitive data discovery is the process of identifying and locating sensitive data to protect or securely remove any pieces of compromising information. This is a crucial step for security teams to ensure compliance with regulations, to maintain the privacy of their organizations’ customers and employees, and to prevent data breaches and leaks. Since new data is being created on a daily basis, data discovery is an ongoing endeavor that security professionals must proactively work to build a strong, secure foundation of sensitive data governance.
Spirion Sensitive Data Platform delivers this foundation, enabling organizations to find any type of sensitive data anywhere it exists with unmatched 98.5% accuracy so that it can be properly protected and ethically used, an outcome we call “Privacy-Grade™ Data Discovery.”
An automated data discovery program is STEP ONE for any initiative focused on protecting your data. With an understanding of what sensitive data you have, where it exists, and how it’s being used, you’re equipped to make smart decisions on how to protect it. Your filings that boast of processes informed by a sensitive data management program will ease investors’ concerns. Further, if your organization has the misfortune to be breached, you will be able to quickly assess the materiality of a breach informed by an understanding of what sensitive data has been taken.
Sensitive Data Discovery is where we begin, but it’s not where we stop. The risks that surround that newly discovered data require organizations to do something about it! Spirion’s automated, context-rich, and persistent classifications and remediations are orchestrated through visual Playbooks and dashboards that not only reduce those risks, but they also definitely prove that you did.
Provide Board Members with the Insights Needed for Oversight
As part of the new filings, your organization will need to describe the board of directors’ oversight of cyber risks. To inform strategic oversight, executive and board leaders need to understand the types of sensitive data the company collects, processes, and stores, as well as the risks associated with each type of data.
It’s also important to outline the company’s current data security practices and any gaps or vulnerabilities that need to be addressed.
Spirion Sensitive Data Platform SPIglassTM Executive-Level Sensitive Data Risks Dashboard provides a board-ready, birds’-eye view of your IT landscape. It translates technical jargon into business speak by quantifying risks risk and security financial impact (Is it a $200,000 risk or a $25 million risk?) and the likelihood of damage (What is the probability of getting hacked?).
A second dashboard, SDVTM, helps busy security practitioners manage priorities with a propriety monetary rating and other metrics to characterize the relative impact of data asset risks based upon its value, vulnerability, and volume.
Protect against breaches and maintain compliance with Spirion
With the sheer amount and variety of sensitive data collected every day, you need a data discovery solution that enables you to comply with all privacy laws pertaining to what you collect.
Spirion Sensitive Data Platform automates data discovery, classification, and remediation. Our discovery tool thoroughly combs through locations in the cloud or on-premise—such as PDFs, images, databases, employee laptops, and more—in search of sensitive data. Whether that data is structured or unstructured, our tool can discover it, so you can protect your organization’s sensitive data and comply with SEC disclosure requirements with ease. To see our platform in action, watch a free demo here or contact us at email@example.com to talk to a Spirion data security and compliance expert today.