New SEC Regulations Shape Cybersecurity Reporting Standards
Breach Notification
,
Security Operations
,
Standards, Regulations & Compliance
Paul Kurtz of Splunk on Changes to Breach Reporting, Accountability
New Security and Exchange Commission regulations mandate that publicly traded companies disclose material cybersecurity events and outline their cybersecurity strategies in 10-K filings. But the clarity around when companies need to report cybersecurity events rests with the board, said Paul Kurtz, field CTO of Splunk.
See Also: The CISO’s Response Plan After a Breach
“It’s not so much the CISO making the call, but it’s the board deciding if whatever has occurred would have a material impact on an investor,” he said. The 10-K financial report will now also include specific disclosures about a company’s approach to protecting its digital assets. It “relays what the cybersecurity strategy is for the company.”
“If company X has said, ‘This is our strategy,’ and it turns out that they weren’t implementing that strategy, it can pose a problem for the company in question. It raises the level of expectations for security overall,” he said.
In this video interview with Information Security Media Group at the Fraud, Security and Risk Management Summit, Kurtz discussed:
- The impact of the new SEC rules on publicly traded companies;
- Why the new SEC guidelines focus on both transparency and accountability;
- Advice for a less-resourced organization that doesn’t have a mature cyber posture.
Kurtz has led organizations involved in the most pressing national security issues, ranging from counter-terrorism, weapons nonproliferation, critical infrastructure protection, and cybersecurity. His management experience spans government, nonprofits and the private sector.
