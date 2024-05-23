SEC’s Division of Corporation Finance Director on Incident Disclosure - EXPERT INSIGHTS

May 2024 by Steve Cobb, CISO at SecurityScorecard and Owen Denby, General Counsel at SecurityScorecard

This week, the director of the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued a statement addressing early inconsistencies observed under the agency’s new cybersecurity incident disclosure rule. Following this news, the commentary from Steve Cobb, CISO at SecurityScorecard and Owen Denby, General Counsel at SecurityScorecard.

“From the CISO perspective, I believe this is more direct evidence of the ambiguity in the SEC rules and how security leaders are unsure of the expectations and unprepared to determine materiality. This disclosure seems to be a result of CISOs wanting to be transparent, but not understanding the process the SEC has created. As a result, it could potentially mislead shareholders and investors and negatively affect the company. CISOs of public and private companies must go through the exercise of partnering with their business leaders and determine what materiality means to their respective organizations.”

“This clarification by the SEC highlights a clear trend we are seeing in the marketplace. Given the uncertainty about what is "material" under the SEC’s cyber rules, companies would rather be over-inclusive and overly cautious in their reporting, to avoid potential liability.”