Recognizing the increasing impact that cybersecurity incidents are having on businesses and investors, on July 26 2023, the Securities and Exchange Commission (SEC) adopted new requirements for disclosure by publicly-traded companies of “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Most companies concentrate on cybersecurity incidents resulting from malicious activity and might think that accidental occurrences are not covered. However, the SEC final rule clearly states that a cybersecurity incident should be construed broadly, encompassing a range of event types, adding:
“In general, we believe that an accidental occurrence is an unauthorized occurrence. Therefore, we note that an accidental occurrence may be a cybersecurity incident under our definition, even if there is no confirmed malicious activity. For example, if a company’s customer data are accidentally exposed, allowing unauthorized access to such data, the data breach would constitute a ‘cybersecurity incident’ that would necessitate a materiality analysis to determine whether disclosure under Item 1.05 of Form 8-K is required.”
The SEC press release specifically refers to incidents causing data loss:
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
Given that the most common causes of data loss are human mistakes and integration errors, it makes sense that the SEC includes incidents caused by unintentional and non-malicious activity.
Preparations and Processes
The new SEC requirements include Regulation S-K Item 106, which will require registrants to describe their processes for dealing with cybersecurity incidents. Organizations that prepare for cybersecurity incidents are better positioned to detect, investigate, and neutralize problems more quickly. Dealing with these incidents promptly and effectively reduces downtime and cost and can prevent issues from escalating.
More than 6,000 companies use Own Recover to back up their mission-critical SaaS data, and to recover from data loss incidents in a timely, precise, and reliable manner. In addition, Data Recovery Readiness and Response (DR3) for SaaS helps customers prepare for incidents involving data loss, and establish processes and documentation to support proof of compliance. Such preparation puts companies in a stronger position to describe the nature, scope, and timing of the incident and the material impact in a Form 8-K when reporting an incident to the SEC.
These requirements will go into effect at the end of 2023.
To learn more about how Own helps companies with regulatory compliance, check our website.