Steps to Follow to Comply With the SEC Cybersecurity Disclosure Rule

Back in July, the Securities and Exchange Commission (SEC) adopted a rule "requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance."

The new rule requires a Form 8-K to be filed within "four business days of determining an incident was material."

Enforcement kicks in Dec. 15. Jill C. Tyson, practice lead, crisis communications, at Mandiant Consulting (now part of Google Cloud) discusses with Dark Reading's Terry Sweeney the basic requirements of the SEC cybersecurity rule, as well as how affected companies can begin to prepare.

Tyson offers up timelines, checklists, and other guidance around enterprisewide readiness to ensure compliance with new rule.

"Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available," the SEC stated. "Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors."