Sign up to save your podcasts
Or
Share SEC Adopts Robust New Cybersecurity Disclosure Rules
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
SEC Adopts Robust New Cybersecurity Disclosure Rules
In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices.
You’ll hear him discuss:
- The SEC's adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
- One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality.
- This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
- Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
- Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
- The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.
KEY QUOTES:
“You can't just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” - Michael Volkov
“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” - Michael Vokov
“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” - Michael Volkov
Resources
Michael Volkov on LinkedIn | Twitter
The Volkov Law Group
View all episodes
By Michael Volkov
4.9
4242 ratings
In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices.
You’ll hear him discuss:
- The SEC's adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
- One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality.
- This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
- Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
- Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
- The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.
KEY QUOTES:
“You can't just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” - Michael Volkov
“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” - Michael Vokov
“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” - Michael Volkov
Resources
Michael Volkov on LinkedIn | Twitter
The Volkov Law Group
More shows like Corruption Crime & Compliance
View all
Lowy Institute
21 Listeners
Fraud Talk
56 Listeners
Compliance Perspectives
35 Listeners
The Daily
112,946 Listeners
Great Women in Compliance
56 Listeners
The Intelligence from The Economist
2,543 Listeners
Everything Compliance
1 Listeners
From the Crows' Nest
31 Listeners