The Role of ITAM in Complying with the New SEC Cybersecurity Rules

As of December 18, 2023, public companies must disclose material cybersecurity incidents to shareholders and the Securities and Exchange Commission (SEC) on Form 8-K. The timeline for reporting is short: Under the new SEC rules, companies must determine the incident’s materiality as soon as possible after discovery, then file the report within four business days. That’s a tall order for organizations that lack effective IT asset management (ITAM) practices.

As we noted in a previous post, ITAM plays a critical role in cybersecurity. Lost and stolen IT assets represent 17 percent of security incidents. If IT teams cannot track and control IT assets, they cannot effectively secure them.

The SEC rules create new urgency for improving ITAM practices. If an asset cannot be located, organizations will be hard-pressed to demonstrate whether its loss constitutes a security incident and whether that incident is material.

What Is a Material Incident?

The SEC rules reflect the growing impact of security incidents on company valuations. A 2019 Bitglass study found that stock prices dropped 7.5 percent after a company suffered a security incident and took 46 days to recover on average. Form 8-K is used to report major events, such as substantial changes to the company’s financial condition or impairments to operations. Security incidents fall into that category.

The rules define “security incident” broadly as “unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Sensitive data doesn’t have to be compromised. An incident could include any event that impairs operations in a way that affects production or revenue.

An incident is “material” if a reasonable investor would consider it important. An incident that harms the company’s reputation might be considered material even if it had minimal financial impact. Furthermore, multiple minor incidents might be material when considered as a whole.

The Board of Directors Role

An incident report should provide investors and the SEC with a snapshot of the incident’s impact. For example, if data was stolen or compromised, the report should give a sense of the scope of the breach. It should also note when the incident was discovered and whether it has been remediated.

In addition, companies must discuss their cybersecurity strategies in their annual reports. The report should cover board oversight of cyber threats, management expertise, and internal policies and procedures for managing risk. It should also provide specific examples of the most likely threats and their potential impact on the company’s operations.

The rules reinforce the board’s role and responsibility for keeping abreast of the cybersecurity climate and the company’s security posture. This should elevate ITAM from an administrative process to a critical component of the company’s strategy. Board members and the executive team need accurate data on the location and posture of IT assets to identify potential threats.

The Importance of Robust ITAM

The challenge for many organizations is that IT asset practices are focused on finance, procurement and operations rather than regulatory compliance. Missing assets may be written off as a cost of doing business. IT managers may assume that an asset was securely retired without considering the potential security and regulatory risks.

When ITAM is properly implemented, IT teams have a complete record of each asset’s disposition and can track every touchpoint throughout its lifecycle. Missing assets can be traced to determine if they have been lost or stolen. The IT asset database also provides a record that can be used for regulatory reporting.

KST Data delivers full-lifecycle solutions to help organizations improve their ITAM practices. We correlate data from endpoint and software license management platforms to create a centralized dashboard that provides full visibility into the IT asset portfolio. We ensure that the dashboard is populated with accurate and complete data by capturing that information at every touchpoint. Let us help you gain greater control over your IT assets to meet increasingly stringent regulatory requirements.