Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

As of July 2023, the U.S. Securities and Exchange Commission (SEC) has moved to adopt a new cybersecurity rule on risk management, strategy, governance, and incident disclosure by public companies. The new rule requires SEC registrants to disclose material cybersecurity incidents and disclose material information on an annual basis. These new regulations will enforce a new degree of transparency for several facets of organizations. 

With the new SEC Cybersecurity Rule, registered organizations must describe the material aspects of the incident's nature, scope, and timing and its material impact or likely impact. Additionally, the SEC rule requires that organizations describe their cyber risk management process, the Board of Directors’ oversight of cyber risks, and management’s role and expertise in assessing and managing cybersecurity threats. 

The new SEC rule's two essential themes are transparency and board oversight. Follow along in this blog to understand how the rule impacts cyber risk management in publicly traded organizations. 

SEC Data Breach Reporting Rule 

The SEC requires publicly traded companies to report material cybersecurity incidents, including data breaches, through a Form 8-K within four business days of determining the incident's materiality. The SEC defines "materiality" as any event that a reasonable investor would consider important in making an investment decision. Companies must disclose the nature of the breach, its impact on operations, and any potential financial or legal consequences. In addition to the initial disclosure, companies must provide updates on the breach and its remediation efforts in periodic filings like 10-Qs and 10-Ks. This rule ensures that investors have timely and accurate information regarding cybersecurity risks.

Increased Transparency in Cyber Risk Management

Trust between companies and people has been hit. Following several data breaches in the past few years, people are worried about their privacy. Add new forms of technology like AI into the mix and the misinformation around AI, the problems grow more complicated. The public’s confidence in the ability of companies and governments to keep private information secure has been eroded. As a response, the SEC has taken a new role in promoting transparency and requiring companies to disclose how they manage cybersecurity risk

In the past, regulatory boards have let organizations develop their own approaches to cybersecurity and self-regulation. This laissez-faire approach led organizations to have varying levels of security and disparate processes that left people unprotected. People want to see what companies are doing to protect information, and investment is an incentivizing lever that the SEC is betting will improve cybersecurity practices across the board.

The SEC Requires New Board Oversight 

An important distinction is that the SEC rule does not mandate that boards engage in oversight. The rule requires disclosing the board's leadership, impacting how the investor community perceives the enterprise. Investors want to trust that the boards are exercising oversight. This means that Boards need to have reporting on cyber threats, understand the implications, and demonstrate that they understand the reporting and are asking the right questions. If anything were to go wrong with the organization, the board's judgment would be scrutinized by regulators.

Suppose Board members do not understand the reporting that is brought to them. In that case, it is the responsibility of the Board to ask for that reporting and have it contextualized in business terms. There are several questions the Board should ask of the cyber team; here are a few: 

  • What are security professionals reporting to the Board regarding the threat landscape, and how does that relate to the organization's strategic plan? 
  • What is the relationship between the management team's efforts to combat threats?
  • Are we combating threats on our most critical business tools? Or are we fighting threads on data that we may not need anymore?
  • What data is critical to the organization and is needed to implement short-term and long-term strategic plans?
  • Provide the correlation between the critical data needed to advance the enterprise and the currently accessible data. 

Through these conversations, security professionals often identify a significant amount of data needed to move forward and a lot of data that's heightening the risk they don't need and is not core to strategy.

There’s a normative shift in what we think good business judgment is for the largest companies in the world, and that good judgment includes a good assessment of cyber risks.

 

 

 

 

The SEC’s Impact on Other Business Ecosystems 

While the SEC’s jurisdiction only applies to publicly traded companies, given the interconnectivity of the digital world, the rules will have a domino effect. Enterprises will need to consider the cyber approaches of their vendors and partners. Not only should boards ask about the cyber risks of their own company, but they must also question the cybersecurity of the company’s vendors, partners, and even customers to better manage who they partner with and which vendors they use. 

Companies are beginning to send out more intensive vendor questionnaires about their cybersecurity, coming from the top. Vendor questionnaires are becoming more necessary instead of nice to have. Whether the company is part of the education sector or a nonprofit, every organization should look at how to become a data leader regardless of industry.

SEC Mandatory Disclosure Rule 

Regarding leadership and Boards, the board's oversight of risk from cybersecurity threats will be required to be reported on.
 
For CISOs, the new rule means they must work with different leaders within the organization to meet the reporting requirements. CISOs may need to work with the General Counsel, CFO, government affairs, and other C-suite teams to ensure that they report on the correct information required to make informed decisions and that they're meeting the requirements of the disclosure rules.
 

Even before a breach, it's critical to work with and build relationships with the key stakeholders across finance, legal, and other teams to ensure that when the time comes, CISOs understand what needs to be communicated and discussed with the Board and what is required to be reported regarding the materiality of a specific breach.

Download our guide to reporting on cybersecurity to the Board for a playbook on Board reporting according to the SEC Reporting Requirements.

The Effect of the SEC Rules 

The SEC rules have introduced a new level of reporting that raises a new level of transparency and forces CISOs and security leaders to collaborate with other organization leaders to ensure they are reporting on the correct information. Conversely, the new rules will push Boards to assess whether they are asking the right questions. Disclose the mandated report to ensure organizations are safe with their investors and customers. 

Point solution cannot provide the transparency needed across operations. CyberStrong is an all-in-one cyber risk management platform that delivers automated solutions from cyber risk assessment to executive reporting.

Schedule a demo to learn more about our transparent cyber risk management approach.

You may also like

How to Streamline Your ...
on December 24, 2024

Many industry regulations require or promote cybersecurity risk assessments to bolster incident response, but what is a cybersecurity risk assessment? For example, cyber risk ...

Alison Furneaux
CISO Reporting Structure ...
on December 23, 2024

The Changing Landscape of CISO Reporting The Chief Information Security Officer (CISO) role has evolved dramatically in recent years. Traditionally reporting to the Chief ...

How to Leverage the FAIR Model ...
on December 19, 2024

In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and ...

Kyndall Elliott
How to Effectively Communicate Top ...
on December 9, 2024

Effective cybersecurity reporting is more important than ever for CISOs, CIOs, and other security leaders in today's complex threat landscape. Reporting isn’t just about sharing ...

November Product Update
on November 27, 2024

The CyberSaint team has been working hard to deliver the latest updates to streamline and improve our customers’ user experience and address their top-of-mind challenges. We’re ...

Putting the “R” back in GRC - ...
on December 5, 2024

Cyber GRC (Governance, Risk, and Compliance) tools help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate ...