5 recommendations for acing the SEC cyber security rule

Rules implemented in 2023 by the US Securities and Exchange Commission (SEC) regarding risk management, strategy, governance, and incident disclosure have raised important considerations for security leaders of public companies ranging from grasping the rules themselves to managing yet another set of regulations in an increasingly evolving and diverse cybersecurity landscape.

The new SEC regulation is divided into three main components. The first component has received the most press attention — the obligation to report “material” cybersecurity incidents to the SEC within four business days of discovery.

It’s worth noting that the four-day timeframe for incident disclosure does not begin at the moment of discovery. The SEC recognizes that businesses will need some time to investigate and evaluate the incident.

However, the regulators will eventually expect that a public company will possess sufficient internal information to determine whether the incident caused significant risk to the entity and its shareholders. If the incident is deemed material, then the organization must report it (via Form 8-K) within four days of such determination.

Annual reports now need to include disclosures too

The second and third components relate to annual disclosures of risk management strategies and governance practices. Public companies are now required to disclose in their annual reports ( Form 10-K):

• Processes for assessing, identifying, and managing cybersecurity threats.
• Whether any risks or previous cybersecurity incidents had materially affected the company’s business strategy, financial conditions and business operations or are likely to affect them.
• The board’s oversight of cybersecurity risks; the board’s prior experience and expertise with cybersecurity; the committees responsible for overseeing cybersecurity risks; the processes and practices by which the board is informed of cybersecurity risks.