New SEC Rule Emphasizes the Importance of Cybersecurity

Earlier this year, the SEC issued new rules for cyber risk management, cyber governance, and cyber incident reporting designed to give investors a better understanding of the increasing impact of cyber incidents on public companies. Those new rules will take effect on December 15, 2023, and will require heightened awareness and knowledge from the C-suite and board of directors.

New reporting requirements

Cyber risk management and cybersecurity were already climbing to the top of priority lists for leadership teams of all sizes across all industries, but the new SEC rules will require an additional level of “buy-in” and recognition. As of December 15, 2023, the SEC will require:

• Current reporting on material cybersecurity incidents on Form 8-K
• Cybersecurity Risk Management and strategy reporting on Form 10-K, which includes disclosures regarding:
  • Policies and procedures to identify and manage cybersecurity risks
  • Management’s role in implementing cybersecurity policies and procedures
  • Updates about previously reported material cybersecurity incidents

New responsibility for C-suite and IT security teams

The new regulations will require board members and C-suites to be more aware and knowledgeable on the issue of cybersecurity and to have a deeper understanding of the potential impacts of a cyber incident. Security leaders and IT practitioners will need to share relevant information in a way that board members will understand and be able to tie that information to business outcomes. Security leaders should focus on making the information easily understandable to bring clarity to this audience, interpreting technical terms and situational nuances to bridge the gap between these two drastically different worlds.

Determining materiality will need to be a group effort (not just security leaders). The SEC has not defined materiality, so it will be up to the reporting company to analyze the cybersecurity incident “without unreasonable delay” inclusive of quantitative and qualitative factors.

Make cyber matter to new audiences

One of the major challenges for security leaders will be effectively relaying important information to a relatively unfamiliar audience. Avoiding the use of technical jargon and using simpler terms will be the foundation of effective communication. Experts recommend using the following terms to explain a company’s cyber risk:

• Attack surface: anything that can be exploited by cybercriminals
• Risk of compromise: the likelihood that a bad actor will take advantage of vulnerabilities
• Lateral movement: the ability for a cybercriminal to move laterally within the environment to find sensitive information.
• Data loss: what are the chances of data being stolen once it is found?
• Third-party vendor: any vendor that has access to sensitive data or is relied upon to fulfill critical business functions
• Exposure: what is the company’s risk of financial losses

Clear and definable terms like these make it easier to facilitate a meaningful discussion to form a collective agreement on your company’s security strategy.

Taking action on cyber risk

All registrants are required to perform a gap assessment to identify gaps between the new SEC cybersecurity rules and the registrant’s current practice. Furthermore, they need to assign accountability for remediation. The discussion on cyber risk awareness may lead to “How do we mitigate cyber risk?” The answer to that question will vary from company to company based on size, nature of the business, resources available, and many other considerations. Each company must consider its situation holistically and consider eliminating legacy technologies and replacing them with more modern architectures as a first step. 

Cyber risk mitigation is an arduous and complex process, and in some cases, it may be more than some companies can handle on their own. Our cybersecurity specialists have assisted companies at all stages of cybersecurity implementation at various steps throughout the process. Fill out the form on this page to connect with one of our specialists to discuss cyber strategies.

Bottom line on the new regulations

The new SEC rules were intended to enhance transparency for investors, but they may have also drawn more attention to the need for enhanced cybersecurity risk management and processes at all levels of a business. The greater understanding we have around cyber, the better prepared we can be to protect our cyber landscape.

Written by Norman Comstock and Luke Nelson.