6 Ways to Comply With the SEC’s New Cybersecurity Disclosure Rules Isometric image with blue circuits and lock
Article

6 Ways to Comply With the SEC’s New Cybersecurity Disclosure Rules

by Mark Knight, Bianca Sarrach
October 27, 2023

The Securities and Exchange Commission’s “watchful eye” over cybersecurity issues became much more focused in July 2023 when it finalized new cybersecurity disclosure mandates. The new disclosure rules, which went into effect September 5, 2023, are more rigorous and include specific requirements for registrants for fiscal years that end on or after December 15, 2023. These regulatory updates include enhanced and standardized risk management, strategy, governance and incident disclosures.

What You Have to Disclose and When

The new rules require registrants to disclose cybersecurity incidents to the SEC in a timely manner and to disclose risk management, governance and strategy measures annually.

In other words, if your company experiences a material incident, you must inform the SEC. And once a year, even if you haven’t had a material event, you must update your annual reporting to describe what is being done to prevent incidents. The timing of your disclosure after an incident is important. If an event is determined to be material, you must disclose it within four business days of the materiality determination. If that determination is on a Saturday or Sunday, you have until Thursday to submit the report. Similarly, if the determination occurs on a holiday when the SEC is closed, you have until four business days after that holiday.

What Kinds of Incidents Do You Have to Report?

You must file a report for every event that has a “material impact” on your business. SEC guidance says a matter is material if there is a substantial likelihood that a reasonable shareholder would consider it important.

What Determines Materiality?

Let’s consider a brief example that illustrates how to determine materiality.

Suppose that an investment analyst at a trading firm gets a suspicious email. The message appears to come from the IT department and says the analyst needs to click a link to update their login info for the firm’s trading software.

Thanks to cyber awareness training, the analyst checks the sender’s email address and sees that it doesn’t match anyone in IT’s contact info. So, they report it to IT and move on with their day. Many firms wouldn’t consider this incident to meet the materiality standards outlined by the SEC because there was no significant impact on the company’s operations, decisions or customers.

But, if the analyst clicks the link, enters their username and password into a fake website, and a week later, someone logs into the system from a foreign IP address using the analyst’s information and steals customer billing data, the incident potentially meets the materiality standard.

Responsible firms, and likely the SEC, would consider this materially significant because there was an actual data breach, and the criminals stole sensitive information.

What’s Required on the Annual Risk Management Disclosure?

The annual risk management disclosure should include details about how your organization’s risks are connected to cyber incidents — including enough detail to answer basic questions an investor may ask. This may include information about:

  • Your processes for reporting cyber incidents
  • Who at the company communicates information about incidents and to whom
  • Whether you use third-party providers to facilitate or audit your risk management processes, as well as whom you hire and when
  • Whether you have procedures in place for managing risks from other companies with which you do business

Using Form 8-K, your organization must also disclose risks that have had a material impact on the company, its operations or its finances. This includes risks stemming from previous incidents before the new regulations took effect on September 5, 2023.

6 Ways to Comply

Even though you can comply with the SEC’s new rules by simply disclosing information, you’ll also want to evaluate the current strength of your cybersecurity defense strategy. Here are some key considerations.

1. Disclose the Right Information

As discussed above, you must disclose information about significant events and how you manage your risk. Failure to do so could result in substantial penalties, as well as reputational damage.

In some situations, you may be able to save time by not reporting information that you’ve already filed in a previous report. For instance, if you’ve hired an external company to monitor, mitigate and report attacks on your network, and that hasn’t changed since your last filing, you can simply refer to what you’ve already submitted. However, it’s essential to review the details of any measures you’ve put in place to ensure there haven't been any changes.

The SEC also specifically instructs registrants to ensure all reported information is accurate, especially regarding events of material importance. To ensure this happens, save time and avoid costly errors, you may want to secure professional assistance.

2. Develop a Cybersecurity and Incident Response Disclosure System

A disclosure system will save you time, boost accuracy and streamline the process for providing the SEC's required information. Your disclosure mechanism may include frameworks for updating and reporting your:

  • Prevention policies
  • Risk mitigation measures
  • Incident response systems
  • Internal governance measures, such as how you store customer financial data
  • Events that meet the materiality standard

3. Perform Cyber Risk Assessments

A cyber risk assessment outlines your company's vulnerabilities, risk mitigation tools and procedures, and an inventory of your IT systems.

To cover all your bases, a comprehensive cyber risk assessment may also include quantifying your risks. This involves assessing how much financial or operational damage a risk poses. For example, a four-day ransomware attack on your internal web server may cause six days of total downtime for 18 employees. This could result in a specific amount of lost revenue, the value of which would depend on each employee’s role in your operations.

You can also use the National Institute of Standards and Technology (NIST) framework or other comparable cybersecurity frameworks to streamline the risk assessment process. These guidelines make it easier to segment your risk analysis, breaking it into a series of steps. With the NIST framework, you have a reliable structure for defining the scope and objectives of your cyber risk assessment system. NIST also makes it easier to identify, assess and prioritize your risks.

4. Run Tabletop Exercises

Tabletop exercises are simulations designed to put your organization’s cyber response systems to the test. They typically involve stakeholders such as IT team members, department managers, system administrators, engineers, compliance officers, information security officials, legal counsel and financial leadership.

For many companies, a tabletop exercise would also include public affairs and corporate governance leaders. Involving these stakeholders ensures you address procedural actions and the reputational impact of an assault.

A tabletop exercise may include simulated:

  • Distributed denial-of-service (DDoS) attacks
  • Ransomware attacks
  • Insider attacks
  • Malware attacks on different elements of your network
  • Attacks on third parties that have access to your sensitive data

5. Evaluate Your Vendors

According to the SEC’s new rules, a company must disclose whether it has “processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.” This makes it essential to evaluate the systems and tools your third-party vendors have for mitigating cyber risks. For example, you should:

  • Review your current contracts with vendors. This may reveal what they have in place for reporting and responding to incidents.
  • Issue vendor compliance questionnaires that align with the SEC’s new rules. This involves asking questions about data protection and encryption, the tools the vendor uses to prevent and mitigate attacks, and each vendor’s incident reporting procedures.
  • Obtain vendor System and Organization Controls (SOC) reports. A SOC report is a comprehensive controls audit the vendor hires a third-party auditor to produce. It outlines the controls the company uses to reduce cyber risk and report on incidents.

In addition to gathering this information, it’s also important to ensure vendors understand their obligations when it comes to reporting incidents to your organization in a timely manner. You may have to adjust current contracts to make sure they require vendors to report incidents on time.

6. Make Sure You’re SOX Compliant

There’s significant overlap between the Sarbanes-Oxley Act (SOX) requirements and the SEC’s new rules. For instance, SOX Section 404 outlines that managers are responsible for “creating and maintaining controls to manage the risks that could cause inaccurate, incomplete or fraudulent data” during the disclosure process. By conforming to SOX requirements, you may be able to check off two boxes with one stroke.

Similar to the SEC’s new rules, SOX compliance involves making sure proper controls are in place to identify and report on incidents. Many of these incidents would involve data theft or corruption, putting them under the purview of the SEC’s new rules as well.

In addition, SOX requires you to integrate your data security controls with your financial reporting systems. For example, using strong authentication controls (such as multi-factor authentication) to secure your financial systems would make it harder to compromise the data in that system. This keeps data safe both while at rest and in transit.


Not Sure You’re Ready for SEC Cybersecurity Disclosures?

Preparing for the new SEC cybersecurity incident and annual reporting requirements and timeframes can be challenging. Get clarity and peace of mind that you’re ready. Contact our cybersecurity experts for help with a NIST-based risk assessment to strengthen your cybersecurity program, identify and implement proper controls, and maintain regulatory compliance.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Authors
Mark Knight - Risk Assurance & Advisory| Armanino
Partner
Bianca Sarrach - Risk Assurance & Advisory | Armanino
Partner
Resources
Related News & Insights
Data Governance: A Guide for Managing Enterprise Risk
Article
Learn why proper data governance is a critical component of managing enterprise risk.

August 03, 2023
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Article
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023
Top SaaS Compliance Frameworks to Know and Why They Add Value
Article
Strengthen your SaaS compliance and leverage key data privacy and cybersecurity compliance frameworks to drive growth.

April 20, 2023