188363662 | Josepalbert13 | Dreamstime

Cybersecurity: Topic A after Valentine’s Day

Feb. 13, 2024
Two data security and regulatory experts check in with Smart Industry on Feb. 15 to chat about the threat landscape and more specifically fresh U.S. government regulations on incident reporting that public companies must now follow.

Smart Industry will on Feb. 15 use the first of four planned webinars in 2024 on a red-hot topic in manufacturing IT and OT: cybersecurity and, more specifically, brand-new U.S. Securities and Exchange Commission regulations that activated on Dec. 18 and that, for the first time, require publicly traded companies to openly report “material” cyberattacks within days.

See also: Register here for the Feb. 15 webinar

SI has recruited two leading authorities for the discussion on Thursday: Michael Daniel, president and CEO of the Cyber Threat Alliance and the former Obama administration cybersecurity coordinator, and Richard Bird, Traceable AI’s chief information security officer and a recognized influencer on cybersecurity, data privacy, digital consumer rights, and next-generation security topics.

Daniel and Bird will primarily cover the preparation now required of companies to report cyber incidents after they occur—which mandates a different and perhaps unique organizational data-gathering structure at companies, all in addition to the IT and OT software infrastructure, strategies, and personnel that guard against the incursions themselves.

The basics are this: Not only do the SEC rules require companies to report on cyber incidents, they mandate that manufacturers detail their defense strategies to shareholders, information that is easily available to anyone.

See also: Podcast previews cyberpreparedness program

First, in their annual 10-K filing, companies must report their cybersecurity risk management, strategy, and governance. The 10-K is comprehensive, with information about company history, organizational structure, facilities owned, etc., and now all about cyber defense, too. The 10-K form is all the information an investor is supposed to have to understand how a company is doing.

So, companies now must describe in the 10-K how they identify and manage material cybersecurity threats, the “material” damage a cyberattack might do, past cybersecurity incidents, how much oversight its Board of Directors has, and how management assesses and manages material risks from cyberthreats.

Second, unless the U.S. attorney general determines that the disclosure poses a national security or public safety risk, companies must, within four days, disclose cybersecurity incidents that the company determines are “material,” using a new Item line on Form 8-K, which is the form companies use to report major events shareholders ought to know about.

See also: Microsoft hack tests new SEC disclosure rules

“After relying primarily on voluntary approaches for the past two decades, the federal government is shifting to a more proactive stance,” Daniel said, in a preview of his remarks for the Feb. 15 program. “It’s pretty obvious that the purely voluntary approach has not generated the level of cybersecurity we want or need. Further, now that cyber incidents have the potential to not just cause monetary harm but physical injury or death, the public will demand greater government involvement.”

How do companies respond and prepare? By arming themselves with a valuable commodity: information. Based on their experiences inside government and corporate governance, Daniel and Bird will come to the table Thursday with approaches manufacturers can take to bring their data-gathering and reporting processes up to the new government standards.

About the Author

Scott Achelpohl

I've come to Smart Industry after stints in business-to-business journalism covering U.S. trucking and transportation for FleetOwner, a sister website and magazine of SI’s at Endeavor Business Media, and branches of the U.S. military for Navy League of the United States. I'm a graduate of the University of Kansas and the William Allen White School of Journalism with many years of media experience inside and outside B2B journalism. I'm a wordsmith by nature, and I edit Smart Industry and report and write all kinds of news and interactive media on the digital transformation of manufacturing.