Hey Voornaam,
The recently enacted SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule now requires publicly traded companies to disclose information about cybersecurity programs on their annual, 10-K report. Additionally, public companies must disclose information about all material or potentially material cybersecurity incidents in 8-K reports. These new requirements, along with the uncertainty of how much information to report, have added to the concerns that CISOs have about their professional and personal liability.
Please join members of the Collaborative to share their experiences and insights about: (1) what the SEC regulations require; (2) how to define incident “materiality”; (3) what to report on 10-K and 8-K forms; and (4) how to mitigate CISO liability.