One of the main changes is a new proposed reporting requirement for cybersecurity incidents at publicly traded companies, says Christoper Salone, a consulting manager at FoxPointe Solutions at The Bonadio Group, which is based in Rochester and has offices across Upstate, including Syracuse. “They want it to be disclosed within four business days from when […]
Get Instant Access to This Article
Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.
- Critical Central New York business news and analysis updated daily.
- Immediate access to all subscriber-only content on our website.
- Get a year's worth of the Print Edition of The Central New York Business Journal.
- Special Feature Publications such as the Book of Lists and Revitalize Greater Binghamton, Mohawk Valley, and Syracuse Magazines
Click here to purchase a paywall bypass link for this article.
One of the main changes is a new proposed reporting requirement for cybersecurity incidents at publicly traded companies, says Christoper Salone, a consulting manager at FoxPointe Solutions at The Bonadio Group, which is based in Rochester and has offices across Upstate, including Syracuse.
“They want it to be disclosed within four business days from when an organization determines an incident to be material,” Salone says. A material incident is one determined to potentially impact a company’s finances, operations, or relationships with customers.
While some businesses have expressed frustration with the four-day window, the time frame aligns with existing rules in New York, such as one for financial institutions requiring them to report incidents to the state within four days.
“Four days is quick to determine the full nature of an incident and disclose it, but that four-day clock doesn’t start ticking until an organization determines an incident is material,” he adds.
The second major proposed change is requiring companies to outline, at a high level, their cybersecurity program, Salone says.
That includes addressing how the company addresses threats, how it assesses risk, and how it stays up to date on all of it, he says.
The goal of the proposed changes is to make cybersecurity information available and readable to investors.
While the new rules are not final, Salone says he has no reason to expect they won’t be finalized. Typically, rules are effective 90 days after they have been released to the public register. He anticipates these rules will go into effect in mid-December unless the SEC opts to change elements after reviewing public comment.
Companies should start preparing now to make sure they will be ready to comply with the new reporting rules. “I think the best thing an organization can do is have a written and documented incident-response plan,” Salone says.
Leaders should also clearly define what a material incident is for the company and provide examples in that plan, he adds. Businesses should also outline roles and responsibilities during a cyber incident. Ideally, these plans include the company’s IT, compliance, risk, and auditing departments along with any other entities that may have a hand in cyber response or reporting. This can include outside vendors or a company’s cyber insurance provider.
“Make sure you test those plans on an annual basis,” Salone says. He also suggests including an appendix with disclosure templates ready to go. All of that helps ensure a company is ready and able to report if it is required to do so.
The proposed rules also call for companies to outline management’s role in implementing cybersecurity policies and procedures; disclose the board of directors’ cybersecurity expertise and its oversight of cybersecurity risk; and provide updates about previously reported material cybersecurity incidents.
The changes update guidance issued in 2011 and previously updated in 2018.