Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

How to Prepare for the SEC's New Cyber Disclosure Rule

Home
Industry Insights
How to Prepare for the SEC's New Cyber Disclosure Rule

Blog Article Published: 08/16/2023

Originally published by Schellman.

The Securities and Exchange Commission's (SEC) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure will require buy-in and active preparation from several departments of your organization to accommodate the new requirements.

As it demands companies provide investors with timely, accurate, and "decision-useful" information about their cyber risk management, strategy, and governance processes, the introduction of this new SEC rule signifies a paradigm shift in cybersecurity—with it slated to take effect in mid-December 2023, organizations must get started in gearing up for a new era of increased transparency and accountability.

In this article, we will explain some of the particular requirements of the rule, why it’s important, and how you can get started in preparing for compliance with it.


What is the New SEC Cyber Disclosure Rule?

As cyber incidents have continued to escalate in number, severity, and financial consequences, investors began to demand greater visibility into the cyber practices of the companies they invest in—this new rule seeks to assist in this, as the SEC will now mandate comprehensive disclosure of cyber risk management strategies.

To help shield investors from the potential damages of cybersecurity breaches, the final rule requires changes to two company filings:

  • 10-K: In this annual filing, companies must provide detailed descriptions of their cybersecurity programs.
  • Form 8-K: A brand new mandatory filing, this expedited form demands reporting of material cybersecurity incidents within four days of materiality determination. To clarify materiality, companies should consider quantitative and qualitative factors, including:
    • Financial impact
    • Reputation
    • Customer relationships
    • Vendor relations
    • Compliance.


The Importance of Robust Cybersecurity Disclosures

With these new measures, the SEC's new cybersecurity disclosure rule aims to mark a transformative step towards transparency and accountability in today's dynamic cyber landscape.

Embracing this change and proactively addressing compliance challenges will differentiate companies as leaders in the field, reinforcing trust and confidence among investors and stakeholders alike.


3 Steps to Prepare for the New SEC Cyber Disclosure Rule

So, how can you get started?

Achieving compliance will take more than filings—the new rule necessitates a cohesive and collaborative approach to cybersecurity that will take input from many different angles to ensure the integrity and accuracy of the disclosed information within those filings.

To get started cultivating this holistic foundation, we recommend these three steps.


1. Understand Each Department’s Role in Compliance.

Preparing for compliance involves more than just ticking the boxes—it requires unifying organizational efforts and fostering a proactive security culture across their security, finance, risk, legal, and business objectives.

To ensure seamless coordination in the event of a cybersecurity incident, align the following departments and key stakeholders, who each will play a critical role:

Department

Duties

CEOs and CFOs:

The top leadership must take responsibility for the completeness and accuracy of the disclosed cyber risk management program.

Boards:

Governance boards will be responsible for overseeing cybersecurity risk and identifying committees responsible for effective oversight.

CIOs/CISOs and Their Teams:

Technical teams will need to:

  • Assess and manage material cybersecurity risks;
  • Implement robust policies and procedures; and
  • Comprehend the reporting process.

Legal:

Legal teams will play a crucial role in documenting materiality determinations and justifying conclusions, if needed, to the SEC.

Internal Audit:

Internal auditors will assess the organization's readiness for disclosure and conduct tabletop exercises to validate preparedness.


2. Answer These Key Questions.

To successfully comply with the new rule, you must also address several key questions:

  • What is our process for reporting cybersecurity incidents, and how do we determine materiality?
  • How can we ensure our processes for determining materiality are well-documented and justified?
  • What is the appropriate level of information to disclose without revealing confidential cybersecurity procedures?
  • Can we report material incidents within the four-day period mandated by the SEC?
  • How will we comply with the requirement to report related occurrences that qualify as "material"?


3. Assess and Test Your Preparedness.

Once you’ve answered these questions and put the necessary related measures in place, you’ll likely want/need some reassurances that you’re truly ready should anything happen.

To gauge your preparedness:

  • Conduct a thorough diagnostic overview of your cybersecurity programs and identify any areas that still need improvement.
  • After that, conduct tabletop exercises to simulate cybersecurity incident scenarios and test your organization's capability to both determine materiality and furnish the necessary information within the specified timeline.


Next Steps for Successfully Navigating the New Disclosure Landscape

Undoubtedly, the SEC's new cyber disclosure rule presents challenges for organizations that are currently unprepared to reveal their cybersecurity practices to the extent that will become required in December 2023. That being said, we believe this development actually presents a unique opportunity for companies to bolster their cybersecurity capabilities and proactively position themselves as industry leaders in transparency and governance.

And now that you know a little bit regarding where you can get started, you may be interested in further ways to improve your cybersecurity and further efficiencies—if so, check out our other articles that may be of interest:

C-LevelComplianceLegalRisk Management

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Certificate of Cloud Auditing Knowledge (CCAK)
The industry's first global auditing credential.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
This Year’s Zero Trust Opportunity for Security Professionals
Trending This Week
#1 CCSK vs CCSP: Unbiased Comparison
#2 Demystifying Secure Architecture: Review of Generative AI Based Products and Services
#3 Managing Cloud Misconfiguration Risks
#4 Five Approaches for Securing Identity in Cloud Infrastructure
#5 Clarifying 10 Cybersecurity Terms
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How DSPM Can Help Solve Healthcare Cybersecurity Attacks

Published: 04/30/2024

Considerations When Including AI Implementations in Penetration Testing

Published: 04/30/2024

Your Ultimate Guide to Security Frameworks

Published: 04/29/2024

Five Reasons Why Ransomware Still Reigns

Published: 04/29/2024