In July of 2023, the U.S. Securities and Exchange Commission, commonly known as the SEC, adopted new rules necessitating the disclosure of material cybersecurity incidents and related risk management, strategy, and governance. One of the most notable requirements of the new regulations is that companies must report a cybersecurity incident within four business days after determining the incident is material. As retail and hospitality organizations prepare to comply with the new requirements, which go into full effect starting December 1, 2023, we offer some insight into areas that cyber defense and incident response teams may want to look into more closely.
What:
The new rules require organizations to disclose any material cybersecurity incident within four business days after determining the incident is material. The disclosed information should include the incident’s nature, scope, and timing and its material impact or reasonably likely material impact on the organization. Materiality is not explicitly defined and must be evaluated on a case-by-case basis considering the full overall evidence of information.
So, What:
Non-compliance with the new rules can potentially have significant legal and reputational implications for organizations. Even though the four-day reporting clock begins ticking after materiality has been determined, companies must do their best to determine an incident is material “without unreasonable delay after discovery of the incident.” The unreasonable delay aspect may pose a challenge to companies already under strain from responding to a cybersecurity incident. In addition to responding to an incident, companies must comprehensively understand the documentation and materiality determination process, adding another layer of complexity.
Now What:
In response to these new rules, retail and hospitality organizations should pay close attention to the following areas to ensure their organization can respond appropriately:
- Enhance Incident Response Protocols: Organizations should review and enhance their incident response protocols to enable rapid identification, assessment, and reporting of cybersecurity incidents to ensure responders can provide decision-makers evidence that supports efforts to determine whether an incident is material without unreasonable delay after incident discovery.
- Clarify Materiality Determination Process: Organizations should develop a clear process for determining the materiality of an incident by involving critical stakeholders like the CFO, general counsel, CISO, CIO, and frontline business leaders. This process should be thoroughly documented.
- Improve Communication Templates: Companies should consider preparing standard reporting templates in advance in order to facilitate rapid and efficient communication of incidents while protecting sensitive cybersecurity information.
- Train Staff: Key personnel, especially those involved in incident response and materiality determination, should receive adequate training to understand and fulfill the new SEC requirements.
- Engage Legal and Technical Counsel: Organizations should work with legal and technical consultants to ensure their cybersecurity incident response programs align with SEC’s requirements without compromising response or remediation effectiveness.
These are just a few steps organizations can follow to position themselves for successful compliance with the new SEC rules. Cybersecurity leaders, mainly those responsible for supporting the incident response process, should work closely with key stakeholders, particularly general counsel and those responsible for risk strategy, to identify the most appropriate preparation steps an organization needs to take.
RH-ISAC will continue to provide relevant information to members. Not a member? Learn how becoming a part of the RH-ISAC community could benefit your organization.
