SEC Public Company Cybersecurity Rules
New SEC rules will require prompt disclosure of incidents, clear reporting on cyber risk management policies and procedures, and deeper board-level involvement.
In July 2023, the US Securities and Exchange Commission (SEC) issued a new set of cybersecurity disclosure rules pertaining to public companies in the United States. These rules are meant to help investors make decisions about where to invest by providing more information about how seriously an organization takes cybersecurity risks.
Companies that can share details on their process for tracking cyber risk—such as how they create and track cyber risk scores over time, while creating a repeatable, straightforward process for reporting to and engaging their board of directors on cybersecurity risk—stand to differentiate themselves in the eyes of investors.
The SEC seeks to thread a needle between organizations providing enough data to inform investors while not “increasing a company’s vulnerability to cyberattack … to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.”
The Federal Register shows the rules took effect September 5, 2023.
Key new SEC cybersecurity rules
Review new rules with security leads, as well as audit and finance teams who manage filings, to create a process to meet the four-day deadline in the case of a material event.
Ensure your company has a strong grasp on how to determine when a cybersecurity event meets the threshold of being “material.”
Security leaders must draft their description of the process for understanding and assessing cyber risk. This may include cyber risk tools, the risks those tools address (e.g., external attack surface or risk of data loss) and the processes their teams follow to mitigate identified risks.
Leaders across security and audit must work with the board of directors to create a process, if one is not already in place, for how the board will plan to oversee cyber risk. This may include making cybersecurity a permanent topic in QBRs to review risk scores, key drivers of risk, mitigation actions, and needed investments.
Security leaders must identify and interview board members with cybersecurity expertise to capture and share in annual and proxy filings.