New SEC cyber Disclosure Rule

With the new SEC cyber disclosure rule, the SEC puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. At most companies, responsibility for compliance will rest among those in several primary roles, each with their own questions to ponder. Coordination among these executives in answering the questions is going to be critical. Are the details of my cyber risk management program sufficient to disclose to investors to the extent required by the SEC’s expanded disclosure requirements? How much do we disclose without introducing additional risk to the company? The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives your organization approximately five months to confirm your compliance plans before the new disclosure requirements take effect in mid-December. The revisions from the proposed rule have streamlined the disclosure requirements in many ways, in response to more than 150 comment letters filed from issuers, investors, and other parties.

Are the details of my cyber risk management program sufficient to disclose to investors to the extent required by the SEC’s expanded disclosure requirements? How much do we disclose without introducing additional risk to the company? How will we make sure that the people responsible for determining the materiality of a cybersecurity incident have the information they need to make that determination without unreasonable delay? If an incident is material, how do we confirm that required information is included in the filed 8-K within the SEC’s four-day window?

Threat intelligence: a basis for sound disclosures

Strong threat intel means better decisions

What makes a cyber incident material?

Key steps to comply with new SEC disclosure rule

Internal audit’s role in cyber disclosure

Three steps for internal audit to consider in SEC cyber disclosure

The new rule: what it says, who’s responsible

The final rule requires that, in annual 10-K filings, companies add details describing their cyber program.

It also requires mandatory and speedier filing of Form 8-K for reporting material cybersecurity incidents to the SEC when they occur — within four days of determining that an incident is material. In the rule, cyber incident means an unauthorized occurrence (or series of related occurrences) on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

The rule provides for a series of extensions if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

The new rule: what it says, who’s responsible

Cyber risk Management and Strategy• Establish a baseline set of policies $ standards
• Execute infrequent risk assessment
• Develop Strategy and maturation initiatives
• Establish a baseline set of policies $ standards
• Execute infrequent risk assessment
• Develop Strategy and maturation initiatives
• Establish a baseline set of policies $ standards
Cyber Incident reporting• Establish a baseline set of policies $ standards
• Execute infrequent risk assessment
• Develop Strategy and maturation initiatives
• Establish a baseline set of policies $ standards
• Execute infrequent risk assessment
• Develop Strategy and maturation initiatives
Cyber Governance• Establish a baseline set of policies $ standards
• Execute infrequent risk assessment
• Develop Strategy and maturation initiatives
• Establish a baseline set of policies $ standards
• Execute infrequent risk assessment
• Develop Strategy and maturation initiatives
Cyber Governance• Establish a baseline set of policies $ standards

Assess and test your preparedness

Is your cyber program disclosure-ready? Test your answers to the questions above. A thorough diagnostic overview of these findings can show you precisely where you need to make changes, to satisfy investors and the public that you are protecting company assets and the company’s reputation.

You may also wish to schedule a “tabletop” exercise in which you and your team enact the processes that you will employ in the event of a cybersecurity incident — to include the process for determining materiality and providing the information required by the 8-K within four business days of the materiality determination. If you’re not confident that you’re ready to make these disclosures properly or in a timely manner, then this sort of exercise will help you get there. If you do feel confident, then a tabletop can validate your conviction — or raise flags that you might not have seen otherwise.

Clients who’ve run these assessment diagnostics and preparedness exercises often find, to their surprise, that they’re not as ready for the new SEC disclosures as they thought. Taking these steps now can help you avoid unpleasant surprises later: not only SEC fines, but also loss of investor confidence and trust and market value.

blogbanner

Assess and test your preparedness

Is your cyber program disclosure-ready? Test your answers to the questions above. A thorough diagnostic overview of these findings can show you precisely where you need to make changes, to satisfy investors and the public that you are protecting company assets and the company’s reputation.

You may also wish to schedule a “tabletop” exercise in which you and your team enact the processes that you will employ in the event of a cybersecurity incident — to include the process for determining materiality and providing the information required by the 8-K within four business days of the materiality determination. If you’re not confident that you’re ready to make these disclosures properly or in a timely manner, then this sort of exercise will help you get there. If you do feel confident, then a tabletop can validate your conviction — or raise flags that you might not have seen otherwise.

Clients who’ve run these assessment diagnostics and preparedness exercises often find, to their surprise, that they’re not as ready for the new SEC disclosures as they thought. Taking these steps now can help you avoid unpleasant surprises later: not only SEC fines, but also loss of investor confidence and trust and market value.

Related Content

daily incidents of consequence

Internal audit

What is the role of internal audit in the SEC rule for cybersecurity? PwC’s new analysis offers next steps to make compliant disclosures.

daily incidents of consequence

Internal audit

What is the role of internal audit in the SEC rule for cybersecurity? PwC’s new analysis offers next steps to make compliant disclosures.