As of 2024, the Securities and Exchange Commission has mandated that public companies disclose “material” cybersecurity incidents within 4 days.
Due to the SEC not precisely defining ‘materiality’, beyond saying it’s need-to-know information for investors to assess the financial health of a company, knowing how precise to respond may be a challenge.
To meet this challenge, companies need a procedure and an automated mechanism to
- Set a target range for material risk – in practical terms, that’s a euro figure
- Track ongoing risk levels in real-time, ready to report on short notice.
- Do it all in a way that’s open and defensible to the regulators