Preparing for SEC cybersecurity rules an opportunity for collaboration
Businesses can prepare for the Securities and Exchange Commission’s (SEC) upcoming cybersecurity disclosure rule by going through it and identifying key gaps in compliance, according to an expert.
The final rule adopted by the SEC in July includes two major parts, noted Mary Tarchinski-Krzoska, market adviser for risk and compliance at software provider AuditBoard. Tarchinski-Krzoska spoke Tuesday during a session at a conference in Las Vegas jointly sponsored by ISACA, formerly the Information Systems Audit and Control Association, and the Institute of Internal Auditors.
One part of the rule requires companies to disclose annually new information, starting with reports for fiscal years ending on or after Dec. 15, 2023, that describes their cybersecurity policies and programs, including how risks are identified and mitigated. The other part pertains to cybersecurity breaches and will require companies to promptly determine whether a breach was material; if so, they must report details in a disclosure with the SEC within four business days.