Smart Industry will on Feb. 15 use the first of four planned webinars in 2024 on a red-hot topic in manufacturing IT and OT: cybersecurity and, more specifically, brand-new U.S. Securities and Exchange Commission regulations that activated on Dec. 18 and that, for the first time, require publicly traded companies to openly report “material” cyberattacks within days.
See also: Register here for the Feb. 15 webinar
SI has recruited two leading authorities for the discussion on Thursday: Michael Daniel, president and CEO of the Cyber Threat Alliance and the former Obama administration cybersecurity coordinator, and Richard Bird, Traceable AI’s chief information security officer and a recognized influencer on cybersecurity, data privacy, digital consumer rights, and next-generation security topics.
Daniel and Bird will primarily cover the preparation now required of companies to report cyber incidents after they occur—which mandates a different and perhaps unique organizational data-gathering structure at companies, all in addition to the IT and OT software infrastructure, strategies, and personnel that guard against the incursions themselves.
The basics are this: Not only do the SEC rules require companies to report on cyber incidents, they mandate that manufacturers detail their defense strategies to shareholders, information that is easily available to anyone.
See also: Podcast previews cyberpreparedness program
First, in their annual 10-K filing, companies must report their cybersecurity risk management, strategy, and governance. The 10-K is comprehensive, with information about company history, organizational structure, facilities owned, etc., and now all about cyber defense, too. The 10-K form is all the information an investor is supposed to have to understand how a company is doing.
So, companies now must describe in the 10-K how they identify and manage material cybersecurity threats, the “material” damage a cyberattack might do, past cybersecurity incidents, how much oversight its Board of Directors has, and how management assesses and manages material risks from cyberthreats.
Second, unless the U.S. attorney general determines that the disclosure poses a national security or public safety risk, companies must, within four days, disclose cybersecurity incidents that the company determines are “material,” using a new Item line on Form 8-K, which is the form companies use to report major events shareholders ought to know about.
See also: Microsoft hack tests new SEC disclosure rules
“After relying primarily on voluntary approaches for the past two decades, the federal government is shifting to a more proactive stance,” Daniel said, in a preview of his remarks for the Feb. 15 program. “It’s pretty obvious that the purely voluntary approach has not generated the level of cybersecurity we want or need. Further, now that cyber incidents have the potential to not just cause monetary harm but physical injury or death, the public will demand greater government involvement.”
How do companies respond and prepare? By arming themselves with a valuable commodity: information. Based on their experiences inside government and corporate governance, Daniel and Bird will come to the table Thursday with approaches manufacturers can take to bring their data-gathering and reporting processes up to the new government standards.