866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Prepare for the SEC's New Cybersecurity Disclosure Rule Blog Feature
AVANI DESAI

By: AVANI DESAI

Print/Save as PDF

How to Prepare for the SEC's New Cybersecurity Disclosure Rule

Cybersecurity Assessments

The Securities and Exchange Commission's (SEC) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure will require buy-in and active preparation from several departments of your organization to accommodate the new requirements.

As it demands companies provide investors with timely, accurate, and "decision-useful" information about their cyber risk management, strategy, and governance processes, the introduction of this new SEC rule signifies a paradigm shift in cybersecurity—with it slated to take effect in mid-December 2023, organizations must get started in gearing up for a new era of increased transparency and accountability.

As cybersecurity experts that assist and assess organizations with their adherence to various industry-accepted security standards, we can help get you started. In this article, we will explain some of the particular requirements of the rule, why it’s important, and how you can get started in preparing for compliance with it.

What is the New SEC Cyber Disclosure Rule?

As cyber incidents have continued to escalate in number, severity, and financial consequences, investors began to demand greater visibility into the cyber practices of the companies they invest in—this new rule seeks to assist in this, as the SEC will now mandate comprehensive disclosure of cyber risk management strategies as well as Board-level oversight of cybersecurity programs.

To help shield investors from the potential damages of cybersecurity breaches, the final rule requires changes to two company filings:

  • Form 8-K: A brand new mandatory filing item (1.05), this addition to the form demands reporting of material cybersecurity incidents within four business days of materiality determination. To clarify materiality, companies should consider quantitative and qualitative factors, including:
    • Financial impact
    • Reputation
    • Customer relationships
    • Vendor relations
    • Compliance
  • 10-K: In this annual filing, companies must provide detailed descriptions of their cybersecurity programs as part of the new SK Item 106(b).

The Importance of Robust Cybersecurity Disclosures

With these new measures, the SEC's new cybersecurity disclosure rule aims to mark a transformative step towards transparency and accountability in today's dynamic cyber landscape.

Embracing this change and proactively addressing compliance challenges will differentiate companies as leaders in the field, reinforcing trust and confidence among investors and stakeholders alike.

3 Steps to Prepare for the New SEC Cybersecurity Disclosure Rule

So, how can you get started?

Achieving compliance will take more than filings—the new rule necessitates a cohesive and collaborative approach to cybersecurity that will take input from many different angles to ensure the integrity and accuracy of the disclosed information within those filings.

To get started cultivating this holistic foundation, we recommend these three steps.

1. Understand Each Department’s Role in Compliance.

 

Preparing for compliance involves more than just ticking the boxes—it requires unifying organizational efforts and fostering a proactive security culture across their security, finance, risk, legal, and business objectives.

To ensure seamless coordination in the event of a cybersecurity incident, align the following departments and key stakeholders, who each will play a critical role:

Department

Duties

CEOs and CFOs:

The top leadership must take responsibility for the completeness and accuracy of the disclosed cyber risk management program.

Boards:

Governance boards will be responsible for overseeing cybersecurity risk and identifying committees responsible for effective oversight.

CIOs/CISOs and Their Teams:

Technical teams will need to:

  • Define a framework for cybersecurity (e.g., NIST CSF);
  • Assess and manage material cybersecurity risks;
  • Implement robust policies and procedures; and
  • Comprehend the reporting process.

Legal:

Legal teams will play a crucial role in documenting materiality determinations and justifying conclusions, if needed, to the SEC.

Internal Audit:

Internal auditors will assess the organization's readiness for disclosure and conduct tabletop exercises to validate preparedness.

 

2. Answer These Key Questions.

 

To successfully comply with the new rule, you must also address several key questions:

  • What is our process for reporting cybersecurity incidents, and how do we determine materiality?
  • How can we ensure our processes for determining materiality are well-documented and justified?
  • What is the appropriate level of information to disclose without revealing confidential cybersecurity procedures?
  • Can we report material incidents within the four-day period mandated by the SEC?
  • How will we comply with the requirement to report related occurrences that qualify as "material?"

3. Assess and Test Your Preparedness.

 

Once you’ve answered these questions and put the necessary related measures in place, you’ll likely want/need some reassurances that you’re truly ready should anything happen.

To gauge your preparedness:

  • Conduct a thorough diagnostic overview of your cybersecurity programs and identify any areas that still need improvement.
  • After that, conduct tabletop exercises to simulate cybersecurity incident scenarios and test your organization's capability to both determine materiality and furnish the necessary information within the specified timeline.

And if you'd prefer further independent validation of your efforts, we at Schellman can perform a targeted assessment of your response capabilities or a broader assessment against the NIST CSF as a whole. 

(For more insight into cybersecurity frameworks that can help facilitate compliance with the new Rule, check our article comparing NIST CSF to other options.)

Next Steps for Successfully Navigating the New Disclosure Landscape

Undoubtedly, the SEC's new cyber disclosure rule presents challenges for organizations that are currently unprepared to reveal their cybersecurity practices to the extent that will become required in December 2023. That being said, we at Schellman believe this development actually presents a unique opportunity for companies to bolster their cybersecurity capabilities and proactively position themselves as industry leaders in transparency and governance.

And now that you know a little bit regarding where you can get started, you may be interested in further ways to improve your cybersecurity and further efficiencies—if so, check out our other articles that may be of interest:

At Schellman, we stand ready to assist organizations in navigating this new era of transparency, empowering them to embrace the SEC's new cyber disclosure rule as a catalyst for growth, innovation, and cybersecurity resilience—if you have any questions about this new rule or how our services may be able to help, contact us today.

About AVANI DESAI

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.