Everybody is talking about disclosure rules…

Ok, maybe not everybody, but the SEC and NCUA have been!

The SEC recently adopted rules for disclosure regarding cyber incidents. These rules have been put into place to give investors more insight into the risks associated with public companies, as well as to give these companies a nudge to take steps to improve their cybersecurity practices. This hasn’t come without a little confusion about which incidents to report and what information should be reported. The SEC requires material incidents to be reported on Form 8-K within four (4) days of determining an incident is material. But is that enough time to ensure you have enough data to determine the incident was indeed material? Reporting an incident as material too early, when it turns out not be material after a thorough investigation, can have a negative impact on the company and how investors view it. On the other hand, waiting to say an incident is material while taking too long collecting data may not only cause concern from investors, but also the SEC for waiting too long to report. This is a bit of a no-win situation for public companies. Wanting to see more discussion involving material incidents, how they are defined, and when they should be reported see current rules: https://www.sec.gov/news/press-release/2023-139.

Also, a reminder that the revised NCUA reporting requirements for cyberattacks goes into effect next week (September 1, 2023). We brought this to your attention back in February when the NCUA Board approved the rule. This revised policy states all federally insured credit unions are required to report cyber incidents within 72 hours of discovery. For more details: https://ncua.gov/newsroom/press-release/2023/ncua-board-approves-final-rule-cyber-incident-reporting-requirements

Authored by: Brad Goetsch