Unpacking the New SEC Cybersecurity Disclosure Requirements
The U.S. Securities and Exchange Commission (SEC) has taken the first steps in weighing in on what companies need to do regarding cybersecurity. The formal adoption of new SEC cybersecurity disclosure requirements took effect in December 2023. Although the new rules primarily target publicly listed companies, other private and smaller companies should also be familiar with the new standards while preparing their own operations for their own security compliance.
The SEC’s cybersecurity rules, first communicated in July 2023, require publicly listed companies to comply with numerous incident reporting and governance disclosure requirements. One key point of distinction from the SEC’s previous—and more hands-off—stance was that organizations should assume they will experience real threats and potential breaches. Forget hypotheticals; companies today must be prepared for the eventual cyber incident.
The primary driver for the increased focus from the SEC on cybersecurity disclosures is the protection of investors and market integrity. Investors and voting members of organizations need to have confidence their groups are taking cybersecurity seriously and providing transparency. This is a clear reaction to not only the potential damage attacks, breaches and data loss can have on businesses, but also how some organizations have tried to obscure such incidents in the past.
For example, in October the SEC brought charges against SolarWinds CISO Timothy Brown for allegedly misleading investors about the company’s security prior to a cyberattack launched on the company in 2019. Many of the accusations come from comments Brown allegedly shared internally. Clearly, the status quo can’t continue.
Here we’re diving into the new SEC rule updates and what companies should think about when it comes to complying with the new directives.
Make Sure Your Business is Protected: Connect with our cybersecurity experts to get started on your tailored security solution today.
Critical Components of the New SEC Cybersecurity Disclosure Requirements
We’ve broadly categorized the substance of the new SEC requirements into segments below. Listed are the pertinent details for each and the new expectations companies must meet.
Cyber Incident Reporting
- Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination.
- Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant.
- Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors.
Cyber Risk Management & Strategy
Describe the company’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including:
- Whether cybersecurity is part of the overall risk management program, engages consultants, auditors or other third parties, and processes to oversee and identify risks from use of third parties.
- Whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant’s business strategy, results of operations, or financial condition.
Describe the company’s governance of cybersecurity risks as it relates to:
- The board’s oversight of cybersecurity risk, including identification of any board committee or subcommittee responsible for oversight and the process by which they are informed about cyber risks.
- Management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures and strategies.
- Specific disclosure of any management positions or committees responsible for assessing and managing cyber risks, including discussion of their relevant expertise.
SEC Cybersecurity Disclosure Questions
While the new SEC regulations do an admirable job of detailing specifics and address key issues important particularly to securing the trust of the market and shareholders, they aren’t a perfect solution. More specificity would have been nice to see regarding potential penalties, especially with habitual offenders. Will the disclosure requirements achieve what they were intended to do? That remains to be seen.
But with their adoption the SEC cybersecurity disclosure requirements immediately add another layer of complexity for organizations likely already trying to adhere to already existing industry or other governmental standards. How the new SEC rules fully intersect with, or augment, these existing standards is also left to organizations and their security teams to figure out.
If SEC compliance is required for your company, you need to be able to answer many questions related to how your organization meets or is planning to meet these regulations. The considerations include (among many others):
- Are our organization’s policies and procedures, risk assessments, controls and monitoring strong enough to disclose publicly?
- Are we getting the information we need to oversee cybersecurity at the board level?
- What is our process for reporting cybersecurity incidents?
- How can we effectively determine materiality of a breach or attack?
- Can we report within the four-day period?
- What is the right level of information to disclose?
Inversion6 Help You Prepare for the New SEC Cybersecurity Disclosure Rules
From initial assessments to discover the maturation level of your security controls to specific, detailed courses of action to take, Inversion6 has the experience and breadth of industry knowledge to help you plot your way forward. We help you find the baseline of where your organization is, identify the gaps you need to address, and the tools required for remediation and mitigation.
We develop customized strategies for the specific circumstances your organization faces. Our compliance services give you expert advice and help you create educational initiatives—such as interactive and instructional tabletop exercises—to give your board the institutional knowledge needed now to meet and exceed the new requirements.
For more than 30 years, Inversion6 has created comprehensive, effective and manageable cybersecurity solutions that include a Security Operations Center (SOC), managed detection & response (MDR), autonomous penetration testing, and more. We act as an extension of your team to tackle risk management and threat mitigation challenges of today.
You don’t have to develop a response plan to the new SEC cybersecurity disclosure requirements on your own. Schedule a consultation today to discover how our expertise helps you navigate the changes.