Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

SEC Public Company Cybersecurity Rules

New SEC rules will require prompt disclosure of incidents, clear reporting on cyber risk management policies and procedures, and deeper board-level involvement.


In July 2023, the US Securities and Exchange Commission (SEC) issued a new set of cybersecurity disclosure rules pertaining to public companies in the United States. These rules are meant to help investors make decisions about where to invest by providing more information about how seriously an organization takes cybersecurity risks.

Companies that can share details on their process for tracking cyber risk—such as how they create and track cyber risk scores over time, while creating a repeatable, straightforward process for reporting to and engaging their board of directors on cybersecurity risk—stand to differentiate themselves in the eyes of investors.

The SEC seeks to thread a needle between organizations providing enough data to inform investors while not “increasing a company’s vulnerability to cyberattack … to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.” 

The Federal Register shows the rules took effect September 5, 2023.


Key new SEC cybersecurity rules

New Form 8-K Item 1.05
New Form 8-K Item 1.05
Disclosure of the details of material cybersecurity incidents within four business days of such determination.
New Regulation S-K Item 106(b)
Provide a description of the “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats…”
Cybersecurity disclosures
To be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
New Regulation S-K Item 106(c)
Provide a description of the board of directors’ oversight of cybersecurity risk and their role and expertise in assessing and managing material risks from cybersecurity threats.
How To Prepare
Rally the team for cyber-related filings

Review new rules with security leads, as well as audit and finance teams who manage filings, to create a process to meet the four-day deadline in the case of a material event.

Understand what constitutes “material.”

Ensure your company has a strong grasp on how to determine when a cybersecurity event meets the threshold of being “material.”

Describe the cyber risk process

Security leaders must draft their description of the process for understanding and assessing cyber risk. This may include cyber risk tools, the risks those tools address (e.g., external attack surface or risk of data loss) and the processes their teams follow to mitigate identified risks.

Sit with the board

Leaders across security and audit must work with the board of directors to create a process, if one is not already in place, for how the board will plan to oversee cyber risk. This may include making cybersecurity a permanent topic in QBRs to review risk scores, key drivers of risk, mitigation actions, and needed investments.

Leverage board cyber expertise

Security leaders must identify and interview board members with cybersecurity expertise to capture and share in annual and proxy filings.

Zscaler Risk360

Risk360: How Zscaler thinks about cyber risk

Zscaler Risk360™ is a comprehensive and actionable risk framework that delivers powerful cyber risk quantification by ingesting real data from an organization’s Zscaler environment. Risk360 offers intuitive visualizations, financial exposure detail, and board-ready reporting, along with detailed, actionable security risk insights to immediately use for mitigation.
Risk360 measures cyber risk across key areas of the attack chain:

External attack surface
See the risk of attackers finding and exploiting attack surface weaknesses with an examination of discoverable variables.
Understand and mitigate risk by looking at a broad range of events, security configurations, and traffic flow attributes to compute the likelihood of a compromise.
Lateral movement
See the company’s risk of lateral threat propagation by examining a range of private access settings and metrics.
Data loss/exfiltration risk
Analyze and limit the risk of attackers exfiltrating data.
dots pattern


Take the next step

Let our experts show you how Zscaler Risk360 minimizes your organization's attack surface, prevents lateral movement, and negates the risk of data loss.