What 'Material' Might Mean, and Other SEC Rule Mysteries
How can a CISO know if a cybersecurity incident is "material," and is that even the CISO's job? Forrester principal analyst Jeff Pollard explains this and other lessons learned after one year of living with the Securities and Exchange Commission's Cybersecurity Rule.
December 9, 2024
Dec. 15 will mark one year since the Securities and Exchange Commission began enforcing its landmark rule mandating that publicly traded companies disclose "material" cyber incidents. One year in, what have CISOs learned about defining "the 'm' word," and other unforeseen surprises?
Forrester principal analyst Jeff Pollard Pollard will dig into this in detail at the 2024 Forrester Security and Risk Summit Dec. 9 - 11 in Baltimore and online in a session called “A CISO's Life Preserver for SEC Disclosure Requirements” Wednesday, Dec. 11. He gave InformationWeek a preview of that session, explaining a bit about what CISOs ought to know about materiality. (Good news: it's less than you think.)
