Navigating the SEC Cybersecurity Disclosure Rule

Author

Trent Fisher

The US Securities Exchange Commission (SEC) introduces a new era of transparency by demanding that organizations provide investors with timely, consistent, and comprehensive information on their cyber risk management, strategy, and governance processes. The new disclosure rules require accuracy to determine the materiality of cybersecurity incidents and speed to disclose a cybersecurity incident within four days of establishing that the incident is material.

These regulatory changes will make organizations need to bolster their cybersecurity strategies, improve incident response processes, and establish robust communication plans.

What Is the New SEC Cyber Disclosure Rule?

On July 26, 2023, the SEC adopted new regulations enhancing the disclosure requirements on cybersecurity readiness and incident reporting for publicly traded companies. The biggest beneficiaries of the rule are investors who, triggered by the escalating cyber incidents, demanded greater visibility into the cyber practices of their organizations.

SEC rule changes require public companies to disclose information on cybersecurity incidents within four business days of materiality. As such, this requirement is now included as a new Item 1.05 on Form 8-K. Organizations must consider quantitative and qualitative factors such as financial impact, reputation, compliance, and vendor and customer relationships to clarify applicability. The rule also requires organizations to make evident their cybersecurity risk management strategy on Form 10-K. Also included in the annual filing form is the board’s role in overseeing the risk management plans

SEC Cybersecurity Disclosure Requirements

SEC noted that some cyber incidents were reported in the media but failed to appear in the affected companies’ periodic filings. This pushed the need for the new rules to ensure that disclosures are made in a complete and consistent manner. The new requirements create a uniform expectation surrounding the timing and substance of disclosures related to breach reporting. SEC proposes that breach reporting includes:

  • When the breach took place, and if it is still ongoing
  • A clear description of the nature and scope of the incident
  • Information on any stolen, altered, or unauthorized use of data
  • The overall effect and impact of the incident on an organization’s operations
  • Report on steps taken to remediate the incident, if any

The compliance deadline for the SEC cybersecurity rules will depend on the size of the reporting organizations. All large companies must comply by December 18, 2023, 90 days after the rule is published in the Federal Register. Smaller entities have 270 days after the publication date. In addition, by December 2024, all registrants must start tagging responsive disclosure in Inline XBRL.

If you are still trying to understand why you should implement the SEC’s new rule, consider this report by IBM on the cost of data breaches. It reveals that organizations that choose not to involve law enforcement typically pay more and suffer more extended disruption. More than one-third (37%) of ransomware victims in the research that did not involve law enforcement ended up spending, on average, 9.6% more–an additional $470,000–and experiencing a breach lifecycle 33 days longer than those victims who worked with law enforcement. Surprisingly, 47% of ransomware victims paid the ransom demand, which could indicate that they were not fully prepared for such an incident.

Who Is Affected by The Newly Proposed SEC Rules?

SEC’s new cybersecurity rules are designed to provide transparency on company breaches and timely notification of risk incidents. And since compliance and cybersecurity are closely related, the new rules will impact several parties, including:

  • Investors: Demanding that organizations report cybersecurity risk strategy and governance can add value to companies with solid policies and procedures for cyber risk management. This ensures investors make well-informed decisions and encourages lagging companies to improve their cyber risk management strategies.
  • Executives: To add value to their organizations, executives must evaluate their cybersecurity strategy and ensure completeness and accuracy.
  • Board of directors: You need cybersecurity expertise within the board of directors since they are ultimately responsible for overseeing cybersecurity risk and establishing the priority level cybersecurity has in the business. The board offers governance and can guide the CIO, CISO, and other relevant stakeholders.
  • CIOs/CISOs and their teams: As the technical brain of an organization, they will need to design a framework for cybersecurity and comprehend the reporting process.
  •  Security teams: They need to strengthen breach detection and minimize cybersecurity incidents while improving their reporting capabilities.

How To Prepare for Compliance with The New SEC Cybersecurity Disclosure Rule

The new SEC’s disclosure rules are undoubtedly a challenge to organizations not ready to reveal their cybersecurity practices. Fortunately, there is still time for companies to prepare. Here are some key tips and steps for preparing for compliance with SEC disclosure requirements.

  • Have A Clear and Cohesive Cybersecurity Response Strategy

Your organization must have a well-defined cybersecurity governance and response strategy aligned to best practices. The strategy should define the enterprise’s cybersecurity policies, standards, and procedures. It should also have capabilities to empower effective security decision-making and include channels for transparent reporting to relevant executives and stakeholders. 

  • Review And Adjust Your Cybersecurity Risk Management Program and Processes

A well-defined cyber security risk management program enables organizations to quickly establish when incidents could lead to material impact that requires disclosure. Critical things you must specify when reviewing and adjusting your risk program include threat profile, high-value assets, dependencies on third-party partners, and your effectiveness at detecting and responding to the threats that could lead to an incident that materially affects your operations.

  • Establish The Most Attractive Targets for Malicious Threats

As mentioned above, you need to identify and evaluate the assets that are most valuable to you, which could be attractive targets for bad actors. This helps in prioritization and brings precision to highly critical areas. When establishing your most valued assets, you must look at their significance to the business and their value to the malicious actors.

  • Update Your Plans, Playbooks and Documentation

Your organization should invest in building a proactive incident response plan. Having a playbook for different instances and documenting what needs to be done before a crisis relieves the chaos of crisis management—understanding and aligning critical systems and data to your incident response plans and playbooks positions you for a better outcome to an incident. It also improves your ability to comply with the SEC reporting requirements, as there is proper documentation of the measures and actions taken.

  • Test Your Preparedness for Cybersecurity Incidents

There needs to be more than a response plan. You must test the plan and identify gaps in adherence to the new regulations. Make sure to conduct a number of different tabletop exercises while including representation from across the organization. Getting everyone to participate ensures ownership and accountability across teams. In addition, the tests need to be objective and closely replicate what real attackers would do while targeting your critical assets.

  • Identify Your Stakeholders and Communication Channels

Organizations need to communicate about incidents internally and externally. Therefore, your incident response plan must include a comprehensive communications plan governing updates to key stakeholders. Consistent and accurate message is part of SEC requirements that organizations must meet.

  • Establish Your Ecosystem of Responding Partners

In the event of a cyber incident, there are external partners that you may require to assist you with various parts of your response plan. Depending on the nature of your business and attack, responding partners may include insurance, forensics, ransomware negotiators, legal, or communications.

How Can Liberty Advisor Group Help

Implementing SEC’s new cyber disclosure rule allows your business to enhance its cybersecurity capabilities and position itself as an industry leader in transparency and governance. Liberty Advisor Group offers integrated technology solutions that help your organization combine different data and perspectives into a common risk framework. This creates an integrated view that connects teams and increases understanding, which is critical for enabling prioritization, supporting performance and resilience, and ensuring compliance. Our Security Strategy, Cyber 360, and Threat Analysis and Prediction solutions empower risk leaders to manage risk and offer continuous monitoring to uncover and mitigate risks.

About Liberty Advisor Group

Liberty Advisor Group is a goal-oriented, client-focused, and results-driven consulting firm. We are a lean, handpicked team of strategists, technologists, and entrepreneurs – battle-tested experts with a steadfast, start-up attitude. We collaborate, integrate, and ideate in real-time with our clients to deliver situation-specific solutions that work. Liberty Advisor Group has the experience to realize our clients’ highest ambitions. Learn more on LinkedIn and Twitter.

Author

Trent Fisher

Add insights to your inbox

Get the latest in leadership news delivered straight to your inbox with our weekly newsletter.