New SEC Rules Can Affect Organizations in a Public Company’s Supply Chain
The Securities and Exchange Commission (SEC) has implemented new rules requiring publicly traded companies to report cybersecurity incidents. The rules will also affect privately held companies in a public company’s supply chain.
Publicly traded companies have long been required to report “material events” on Form 8-K. Cybersecurity incidents were not specifically listed among the events that must be reported, although such incidents can significantly impact a company’s market valuation. A 2019 Bitglass study found that companies lost 7.5 percent of their stock price after a security breach. It took an average of 46 days for the stock value to recover.
The new rules are designed to ensure that cybersecurity incidents are consistently reported. Publicly traded companies must disclose a cybersecurity incident within four business days after determining it is material. To meet these requirements, companies must develop an incident management plan establishing procedures for identifying, analyzing, containing and eradicating cyberattacks.
Understanding the New SEC Rules Requirements
The new rules define a cybersecurity incident broad as “any unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” A material incident is defined as one “to which there is a substantial likelihood that a reasonable investor would attach importance.”
Sensitive data doesn’t necessarily have to be compromised — an incident that disrupts production or results in lost revenue could be considered material. Even if the immediate financial impact is relatively minor, an incident could be considered material if it harms the company’s reputation and causes customer churn.
Companies must determine an incident’s materiality “as soon as reasonably practicable after discovery of the incident.” Even if the company finds that an incident is not material, it must continue to assess the situation in case the status changes. An incident could have a broader impact than initially determined.
The Role of an Incident Management Plan
An incident management plan should establish processes for detecting unusual activity and determining whether it is a security breach. IT teams must gather and correlate information from various sources, including server logs, firewalls and intrusion detection systems. To do this within the specified timeframe, companies will need a security information and event management (SIEM) system or security operations center (SOC) capabilities.
If a security incident is identified, the next phase is to contain the damage as quickly as possible. This could involve isolating infected systems or preventing malware from contacting the attacker’s command-and-control servers. Once the threat is contained, IT teams should work to neutralize the threat and restore systems and data.
New SEC Cybersecurity rules affect public & private companies.
The incident management plan should include procedures for documenting the scope of the incident as quickly as possible. The Form 8-K report should specify when the incident was discovered, whether data was compromised and whether it has been remediated, among other details.
The Significant Scope of Supply Chain Threats
A publicly traded company could determine that a smaller supply chain partner is the source of the security incident. In a recent Opinion Matters survey, 80 percent of companies reported that they had suffered an average of 2.7 security breaches related to a third party in the preceding year. Another study found that companies considered almost one-third of their third-party party partners to be a material risk.
Organizations that are part of a publicly traded company’s supply chain should be prepared to respond rapidly to incidents that impact a larger partner. This is a tall order for many smaller companies that don’t have the tools or resources to analyze and remediate security incidents.
Strengthen Your Incident Management with GDS SOC-as-a-Service Solutions
GDS offers SOC-as-a-Service solutions that provide greater visibility into the IT environment along with threat intelligence and incident management. Let us help you meet the rigorous incident management and reporting requirements of your supply chain partners.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.
Contact Managed Services Provider, Global Data Systems >