- The SEC has finalized cybersecurity rules that expand public companies’ cyber risk management and disclosure responsibilities.
- Companies must disclose their risk management, strategy, and governance processes to meet the new requirements.
- Material cybersecurity incidents must be disclosed within four business days of determining materiality.
- The rules will impact both public and private companies.
- The state of cyber compliance is impacting all companies, not just public ones.
- Leaders can prepare for the new rules by investing in employee training and breaking down internal silos.
- Third-party assessments can help companies assess their cyber risk management program.
- Timely disclosure is now a necessary component of any viable cybersecurity program.
The Securities and Exchange Commission (SEC) has finalized cybersecurity rules that expand public companies’ cyber risk management and disclosure responsibilities. The rules require companies to disclose their risk management, strategy, and governance processes, as well as the roles of both management and boards, in assessing and managing cyber risk. This includes disclosing the committees responsible for cybersecurity oversight and how they are kept informed.
In addition, public companies must disclose material cybersecurity incidents within four business days of determining materiality. Materiality is determined based on quantitative and qualitative factors, and companies must be confident in their ability to quickly detect and analyze a breach and report their findings to internal and external stakeholders.
The impact of these rules goes beyond compliance and will affect both public and private companies alike. State and local organizations have introduced similar regulations, and private companies serving public companies may become contractually required to help their public company customers comply with the new rules. This means that an increased focus on vendor risk and contractual management will be critical.
Company leaders can prepare for these new rules by investing in employee training and breaking down internal silos that may hamper collaboration in responding to a cyber incident. Even companies with mature cybersecurity programs may lack the speed of reporting necessary to meet the SEC’s requirements. By mapping out key stakeholders and the necessary information for making a materiality determination, companies can be better prepared to meet the reporting requirements.
Third-party assessments, such as a systems and organization control (SOC) for cybersecurity report, can also help companies assess their cyber risk management program and their ability to fulfill reporting requirements. These assessments can help define cybersecurity processes and readiness levels, preparing companies to answer questions from investors, regulators, and other stakeholders.
The SEC’s cybersecurity rules signal that timely disclosure is now a necessary component of any viable cybersecurity program. Companies must be able to quickly assess and report on material cybersecurity events. Reporting on these events can also help educate internal team members on their roles and responsibilities concerning cybersecurity, enhance collaboration, and better prepare companies to respond to incidents swiftly and thoroughly.