SEC Cybersecurity Disclosure Rules (2023)
Что такое SEC Cybersecurity Disclosure Rules (2023)?
SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
● Примеры
- 01
A retailer files an 8-K Item 1.05 within four business days of determining that a ransomware incident is material, then files amendments as scope is clarified.
- 02
A 10-K Item 106 section describes the board's quarterly cybersecurity oversight cadence, the CISO's reporting line, and the use of an external IR retainer.
● Частые вопросы
Что такое SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K. Относится к категории Соответствие и стандарты в кибербезопасности.
Что означает SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
Как работает SEC Cybersecurity Disclosure Rules (2023)?
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
Как защититься от SEC Cybersecurity Disclosure Rules (2023)?
Защита от SEC Cybersecurity Disclosure Rules (2023) обычно сочетает технические меры и операционные практики, как описано в определении выше.
Какие есть другие названия SEC Cybersecurity Disclosure Rules (2023)?
Распространённые альтернативные названия: SEC 8-K Item 1.05, SEC cyber disclosure rule.
● Связанные термины
- compliance№ 226
Соответствие требованиям
Дисциплина обеспечения соблюдения законов, нормативных актов, договорных и внутренних требований безопасности через документированные меры контроля, сбор доказательств и регулярную оценку.
- forensics-ir№ 582
Реагирование на инциденты
Организованный процесс подготовки, обнаружения, анализа, сдерживания, устранения и восстановления после инцидентов ИБ с фиксацией уроков.
- attacks№ 304
Утечка данных (взлом)
Подтверждённый инцидент безопасности, при котором неавторизованная сторона получает доступ к защищённой или конфиденциальной информации, извлекает её или раскрывает.
- compliance№ 1264
Управление рисками третьих сторон (TPRM)
Сквозная дисциплина идентификации, оценки, контрактации, мониторинга и отключения сторонних контрагентов, чтобы вносимые ими кибер-, операционные и комплаенс-риски оставались в пределах аппетита.
- compliance№ 290
Киберстрахование
Специализированный страховой продукт, переносящий на страховщика финансовые последствия киберинцидентов — реагирование, перерыв в деятельности и ответственность.
- compliance№ 1043
Управление рисками
Скоординированный процесс выявления, анализа, оценки, обработки, мониторинга и коммуникации рисков для удержания их в пределах установленной организацией толерантности.