Connect with us

Hi, what are you looking for?



How to Align Your Incident Response Practices With the New SEC Disclosure Rules

By turning incident response simulation into a continuous process and employing innovative tools, you can address the stringent requirements of the new SEC incident disclosure rules.

SEC Breach Disclosure Rules

As of December 18, 2023, publicly traded organizations must comply with the Security and Exchange Commission (SEC) incident disclosure regulations, which were originally unveiled in July 2023. Under the new rules, publicly traded companies will be required to report cyber incidents within four business days of determining that the incident is “material,” meaning it would potentially impact a shareholder’s investment decisions. While many existing government regulations and industry standards have required organizations to establish business continuity and incident response (IR) plans in the past, the new SEC rules put more pressure on security practitioners than ever before. As time is of the essence, a well-practiced IR program will be critical. It’s no longer about having a plan in place; it’s about how well it can be executed, which will require many organizations to depart from their current practices.

When a cyber incident occurs, organizations need to be ready and able to respond quickly. While many organizations have deployed cybersecurity solutions for better incident detection, the foundation for an effective response is a comprehensive cyber IR plan matched with detailed governance, risk, and compliance programs. Having such plans and processes in place helps organizations manage cyber incidents in an efficient, agile, and cohesive way.

However, most companies don’t know how ready they are for a breach until they have one. They quickly learn that they should have done more to prepare. According to the IBM Cost of the Data Breach Report 2023 (PDF), it’s not just about having an IR plan in place but regularly testing it, which can lower the cost of a breach by as much as $1.49 million on average. In turn, organizations must ensure they run regular training and IR simulation exercises and have strong collaboration within their organization.

Inhibitors of Traditional IR Simulations

While IR simulations (a.k.a. tabletop exercises) are a proven tool for building awareness, improving coordination, finding gaps in an organization’s security posture, validating assumptions, and building confidence, they can be painstakingly challenging to plan and implement effectively and efficiently. This holds especially true when considering that many information security teams are understaffed, underfunded, and frequently insufficiently skilled.

Independent of the type of tabletop exercise (e.g., self-designed and facilitated, peer-to-peer, virtual, or third-party service-led exercises), an average tabletop exercise can cost an organization anywhere from $30,000 to $50,000. The overall spending is determined by the cost of training in preparation of the simulation, pre-tabletop exercise planning, incident scenario design, logistics and preparation, exercise delivery, and post-exercise analysis. That’s why it is not surprising that over a third of organizations say they space their IR tabletop exercises a year or two apart.

The New Paradigm: Automated IR Simulation

This raises the question of how you can employ IR simulations as part of your overall IR strategy without putting more stress on your staff or going over budget. Here are a few tips:

Advertisement. Scroll to continue reading.
  1. Leverage AI: Take advantage of emerging IR simulation technology that uses AI to create realistic scenarios, automate attack simulations, provide a fully interactive user experience, and analyze the results.
  • Make it Continuous: Annual IR simulations are not sufficient – specifically in light of the new SEC incident disclosure rule. To nurture a collaborative culture in your organization and optimize your incident preparedness, you need to make IR simulation an ongoing process with frequent and short sessions that keep all the stakeholders engaged.
  • Allow for Universal Engagement: It’s essential to shift IR planning away from the old model, where a few people participated once a year. In today’s dynamic threat landscape, a universal engagement is required, which includes staff members from legal, PR, investor relations, product development, cybersecurity, and general administration teams. You need to ensure inclusive participation, providing everyone a chance to prepare for likely incidents.
  • Tailored Specific for Your Business: Don’t waste time with generic simulations that don’t suit your company. Run multiple IR scenarios concurrently, with short war-room sessions and summaries sent to stakeholders whose attendance is optional. Moreover, attacks often consist of seemingly unrelated events that take place over time. Simulating these events in context can help train your stakeholders to keep an eye out for suspicious activity.
  • Insightful Reporting: Don’t spend hours generating post-simulation reports. Leverage automated IR simulation tools that provide automated reports that offer invaluable insights into key activities, potential missteps, and performance against other firms. Track your progress and identify areas for improvement, and continuously refine your cybersecurity response strategies.

Tabletop exercises will remain relevant for incident readiness optimization as long as humans are involved in intercepting and remediating cybersecurity attacks. As attacks and technologies evolve, so should IR strategies and tactics. By turning IR simulation into a continuous process and employing innovative tools, you can address the stringent requirements set out by the new SEC incident disclosure rule and make the best of tabletop exercises in 2024 and beyond.

Related: FBI Issues Guidance for Delaying SEC-Required Data Breach Disclosure

RelatedIndustry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday

RelatedRansomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...