How to Prepare for the SEC's New Cyber Disclosure Rule
Published 08/16/2023
Originally published by Schellman.
The Securities and Exchange Commission's (SEC) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure will require buy-in and active preparation from several departments of your organization to accommodate the new requirements.
As it demands companies provide investors with timely, accurate, and "decision-useful" information about their cyber risk management, strategy, and governance processes, the introduction of this new SEC rule signifies a paradigm shift in cybersecurity—with it slated to take effect in mid-December 2023, organizations must get started in gearing up for a new era of increased transparency and accountability.
In this article, we will explain some of the particular requirements of the rule, why it’s important, and how you can get started in preparing for compliance with it.
What is the New SEC Cyber Disclosure Rule?
As cyber incidents have continued to escalate in number, severity, and financial consequences, investors began to demand greater visibility into the cyber practices of the companies they invest in—this new rule seeks to assist in this, as the SEC will now mandate comprehensive disclosure of cyber risk management strategies.
To help shield investors from the potential damages of cybersecurity breaches, the final rule requires changes to two company filings:
- 10-K: In this annual filing, companies must provide detailed descriptions of their cybersecurity programs.
- Form 8-K: A brand new mandatory filing, this expedited form demands reporting of material cybersecurity incidents within four days of materiality determination. To clarify materiality, companies should consider quantitative and qualitative factors, including:
- Financial impact
- Reputation
- Customer relationships
- Vendor relations
- Compliance.
The Importance of Robust Cybersecurity Disclosures
With these new measures, the SEC's new cybersecurity disclosure rule aims to mark a transformative step towards transparency and accountability in today's dynamic cyber landscape.
Embracing this change and proactively addressing compliance challenges will differentiate companies as leaders in the field, reinforcing trust and confidence among investors and stakeholders alike.
3 Steps to Prepare for the New SEC Cyber Disclosure Rule
So, how can you get started?
Achieving compliance will take more than filings—the new rule necessitates a cohesive and collaborative approach to cybersecurity that will take input from many different angles to ensure the integrity and accuracy of the disclosed information within those filings.
To get started cultivating this holistic foundation, we recommend these three steps.
1. Understand Each Department’s Role in Compliance.
Preparing for compliance involves more than just ticking the boxes—it requires unifying organizational efforts and fostering a proactive security culture across their security, finance, risk, legal, and business objectives.
To ensure seamless coordination in the event of a cybersecurity incident, align the following departments and key stakeholders, who each will play a critical role:
Department | Duties |
CEOs and CFOs: | The top leadership must take responsibility for the completeness and accuracy of the disclosed cyber risk management program. |
Boards: | Governance boards will be responsible for overseeing cybersecurity risk and identifying committees responsible for effective oversight. |
CIOs/CISOs and Their Teams: | Technical teams will need to:
|
Legal: | Legal teams will play a crucial role in documenting materiality determinations and justifying conclusions, if needed, to the SEC. |
Internal Audit: | Internal auditors will assess the organization's readiness for disclosure and conduct tabletop exercises to validate preparedness. |
2. Answer These Key Questions.
To successfully comply with the new rule, you must also address several key questions:
- What is our process for reporting cybersecurity incidents, and how do we determine materiality?
- How can we ensure our processes for determining materiality are well-documented and justified?
- What is the appropriate level of information to disclose without revealing confidential cybersecurity procedures?
- Can we report material incidents within the four-day period mandated by the SEC?
- How will we comply with the requirement to report related occurrences that qualify as "material"?
3. Assess and Test Your Preparedness.
Once you’ve answered these questions and put the necessary related measures in place, you’ll likely want/need some reassurances that you’re truly ready should anything happen.
To gauge your preparedness:
- Conduct a thorough diagnostic overview of your cybersecurity programs and identify any areas that still need improvement.
- After that, conduct tabletop exercises to simulate cybersecurity incident scenarios and test your organization's capability to both determine materiality and furnish the necessary information within the specified timeline.
Next Steps for Successfully Navigating the New Disclosure Landscape
Undoubtedly, the SEC's new cyber disclosure rule presents challenges for organizations that are currently unprepared to reveal their cybersecurity practices to the extent that will become required in December 2023. That being said, we believe this development actually presents a unique opportunity for companies to bolster their cybersecurity capabilities and proactively position themselves as industry leaders in transparency and governance.
And now that you know a little bit regarding where you can get started, you may be interested in further ways to improve your cybersecurity and further efficiencies—if so, check out our other articles that may be of interest:
Related Articles:
Modern Day Vendor Security Compliance Begins with the STAR Registry
Published: 12/20/2024
Texas Attorney General’s Landmark Victory Against Google
Published: 12/20/2024
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024