Security and Exchange Commission’s July 2023 rule changes in cyber risk management require companies to disclose governance processes and cyber risk in 10-K filings, define materiality thresholds and publicly disclose material cyber incidents within four days in an 8-K filing.

Companies should now establish a framework for determining materiality, considering various factors, as the SEC rule change may impact how materiality is defined, according to Amy Geiger (pictured, second from right), managing director at Accenture PLC. These developments put additional pressure on companies when it comes to its business filings.

“It’s very clear that the clock starts when you determine materiality,” Geiger said. “I think the first task companies have right now is: What’s my framework for establishing materiality? Once you determine that you’ve got a material incident, now all the operational impacts start. Not only am I trying to contain my incident, but now I’ve got to start making sure I’m getting the right data to be able to make those calls around materiality.”

Geiger; Marshall Heilman (left), global chief technology officer at Mandiant, a Google LLC company; and Edgard Capdevielle (right), chief executive officer at Nozomi Networks Inc., spoke with theCUBE industry analyst John Furrier (second from left) at the mWISE Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the need to adapt to new rule changes in cyber risk management and prioritizing centralization. (* Disclosure below.)

Getting ready for incidents

The structure of teams and workflows should be based on an organization’s governance and preparedness for incidents, according to Heilman. Instead of just the structure itself, it is important to handle breaches properly to maintain public confidence and comply with regulations.

Companies must ensure that if a major breach occurs, it can demonstrate breach management, Heilman added. This will help instill confidence by showing that appropriate measures have been taken and that they have complied with regulations set by bodies, such as the SEC, aimed at protecting investors.

“The SEC jumped the gun … to protect investors, [which is] the right thing to do. But it’s only the first step,” Capdevielle said. “I think we’re about eight months from having CISA do its move and it’s going to be very similar. It’s also going to continue to have some teeth. The CISOs and management teams, and specifically boards, need to start preparing for the new world.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the mWISE Conference:

(* Disclosure: Accenture PLC sponsored this segment of theCUBE. Neither Accenture nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE