The new SEC cybersecurity rules require a closer focus on three areas: oversight of cyber risks, cyber risk management, and disclosure of material incidents and risks. Larger public companies with established cybersecurity processes and resources can likely adjust existing roles and reporting to account for the new standards, but their smaller counterparts may need to adjust infrastructure and leverage alternative resource models such as managed services to meet compliance standards.
Oversight of cyber risks
The new rules seek to bridge the gap between corporate boards and cybersecurity leadership. SEC registrants (Form 10-K) and foreign private issuers (Form 20-F) must describe the board’s oversight of cybersecurity risks and management’s role in assessing and managing material threats.
Ultimately, boards must increase their oversight of cybersecurity risks and develop a governance culture that increases visibility into threats. The governance structure should provide defined roles that include security ownership and prescribe processes to inform the board and committees about emerging risks. IT controls should also be measured, monitored, and reported to further understand evolving risks.
Cyber risk management
Organizations must articulate their processes for assessing, identifying, and managing material risks from cybersecurity threats as a part of their annual 10-K reporting. The material effects of those risks on the company’s business strategy, operations, or financial condition must also be disclosed.
The SEC amended the final cybersecurity rules to remove a proposed list of risk types, hoping to avoid the perception that the rules prescribe cybersecurity policy. However, the agency sought to provide guidance by referencing risks such as intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, and reputational risk. Disclosures in Forms 10-K and 20-F are required beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
Periodic company-wide cybersecurity assessments are an essential part of the risk management process and are critical in addressing and documenting potential risks. Assessments help identify issues early to enable an organization to put controls in place before risks become material.
Disclosing material incidents
Organizations must disclose incidents that have a material or reasonably likely material impact using Form 8-K within four days after the company determines the incident is material. This requirement is effective beginning 90 days after publication in the Federal Register, or Dec. 18, 2023, but smaller companies will have an additional 180 days.