Foley & Lardner LLP partner Aaron Tantleff is quoted in the SDxCentral article, “New SEC cybersecurity disclosure rules: How enterprises can prepare,” discussing new cybersecurity disclosure rules that will change the way public companies manage and disclose cybersecurity incidents.
The new SEC rules state that public companies must now disclose and describe cybersecurity incidents within four business days, detail processes for handling cybersecurity threats, and offer a view into the company’s board and management’s role in assessing and managing material risks.
Tantleff said to bring transparency to the process, public entities should establish policies that describe the types of information and inquiries to be included in determinations of materiality. He explained that “the process for determining materiality includes senior leadership, the CIO/CISO, and legal.”
Tantleff noted that while the new four-day reporting window only begins at the time a materiality determination has been made, this reporting is independent of any state data breach notification law that may provide for delays in notification. Tantleff said that companies need to be aware of the impact and obligation of all laws requiring notification.
Tantleff added that companies should be able to provide a timeline to show that decisions are made in a timely manner, update existing incident response plans to address responsibility of materiality and notification matters, and review communication processes to ensure company leadership is promptly made aware of incidents.