How to Prepare for the SEC's New Cybersecurity Disclosure Rule
The Securities and Exchange Commission's (SEC) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure will require buy-in and active preparation from several departments of your organization to accommodate the new requirements.
As it demands companies provide investors with timely, accurate, and "decision-useful" information about their cyber risk management, strategy, and governance processes, the introduction of this new SEC rule signifies a paradigm shift in cybersecurity—with it slated to take effect in mid-December 2023, organizations must get started in gearing up for a new era of increased transparency and accountability.
As cybersecurity experts that assist and assess organizations with their adherence to various industry-accepted security standards, we can help get you started. In this article, we will explain some of the particular requirements of the rule, why it’s important, and how you can get started in preparing for compliance with it.
What is the New SEC Cyber Disclosure Rule?
As cyber incidents have continued to escalate in number, severity, and financial consequences, investors began to demand greater visibility into the cyber practices of the companies they invest in—this new rule seeks to assist in this, as the SEC will now mandate comprehensive disclosure of cyber risk management strategies as well as Board-level oversight of cybersecurity programs.
To help shield investors from the potential damages of cybersecurity breaches, the final rule requires changes to two company filings:
- Form 8-K: A brand new mandatory filing item (1.05), this addition to the form demands reporting of material cybersecurity incidents within four business days of materiality determination. To clarify materiality, companies should consider quantitative and qualitative factors, including:
- Financial impact
- Customer relationships
- Vendor relations
- 10-K: In this annual filing, companies must provide detailed descriptions of their cybersecurity programs as part of the new SK Item 106(b).
The Importance of Robust Cybersecurity Disclosures
With these new measures, the SEC's new cybersecurity disclosure rule aims to mark a transformative step towards transparency and accountability in today's dynamic cyber landscape.
Embracing this change and proactively addressing compliance challenges will differentiate companies as leaders in the field, reinforcing trust and confidence among investors and stakeholders alike.
3 Steps to Prepare for the New SEC Cybersecurity Disclosure Rule
So, how can you get started?
Achieving compliance will take more than filings—the new rule necessitates a cohesive and collaborative approach to cybersecurity that will take input from many different angles to ensure the integrity and accuracy of the disclosed information within those filings.
To get started cultivating this holistic foundation, we recommend these three steps.
1. Understand Each Department’s Role in Compliance.
Preparing for compliance involves more than just ticking the boxes—it requires unifying organizational efforts and fostering a proactive security culture across their security, finance, risk, legal, and business objectives.
To ensure seamless coordination in the event of a cybersecurity incident, align the following departments and key stakeholders, who each will play a critical role:
CEOs and CFOs:
The top leadership must take responsibility for the completeness and accuracy of the disclosed cyber risk management program.
Governance boards will be responsible for overseeing cybersecurity risk and identifying committees responsible for effective oversight.
CIOs/CISOs and Their Teams:
Technical teams will need to:
Legal teams will play a crucial role in documenting materiality determinations and justifying conclusions, if needed, to the SEC.
Internal auditors will assess the organization's readiness for disclosure and conduct tabletop exercises to validate preparedness.
2. Answer These Key Questions.
To successfully comply with the new rule, you must also address several key questions:
- What is our process for reporting cybersecurity incidents, and how do we determine materiality?
- How can we ensure our processes for determining materiality are well-documented and justified?
- What is the appropriate level of information to disclose without revealing confidential cybersecurity procedures?
- Can we report material incidents within the four-day period mandated by the SEC?
- How will we comply with the requirement to report related occurrences that qualify as "material?"
3. Assess and Test Your Preparedness.
Once you’ve answered these questions and put the necessary related measures in place, you’ll likely want/need some reassurances that you’re truly ready should anything happen.
To gauge your preparedness:
- Conduct a thorough diagnostic overview of your cybersecurity programs and identify any areas that still need improvement.
- After that, conduct tabletop exercises to simulate cybersecurity incident scenarios and test your organization's capability to both determine materiality and furnish the necessary information within the specified timeline.
And if you'd prefer further independent validation of your efforts, we at Schellman can perform a targeted assessment of your response capabilities or a broader assessment against the NIST CSF as a whole.
(For more insight into cybersecurity frameworks that can help facilitate compliance with the new Rule, check our article comparing NIST CSF to other options.)
Next Steps for Successfully Navigating the New Disclosure Landscape
Undoubtedly, the SEC's new cyber disclosure rule presents challenges for organizations that are currently unprepared to reveal their cybersecurity practices to the extent that will become required in December 2023. That being said, we at Schellman believe this development actually presents a unique opportunity for companies to bolster their cybersecurity capabilities and proactively position themselves as industry leaders in transparency and governance.
And now that you know a little bit regarding where you can get started, you may be interested in further ways to improve your cybersecurity and further efficiencies—if so, check out our other articles that may be of interest:
- Should You Implement the NIST Cybersecurity Framework?
- What is Executive Order 14028?
- The (Hidden) Benefits of a Penetration Test
- SEC Cybersecurity Rules Shape the Future of Incident Management (ft. Schellman's Doug Barbin)
At Schellman, we stand ready to assist organizations in navigating this new era of transparency, empowering them to embrace the SEC's new cyber disclosure rule as a catalyst for growth, innovation, and cybersecurity resilience—if you have any questions about this new rule or how our services may be able to help, contact us today.
About AVANI DESAI
Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.