Get Ahead of SEC’s New Cybersecurity Rules: Companies, Be Prepared!

January 9, 2024
1 min read




Summary of Article

  • The SEC has finalized cybersecurity rules that expand public companies’ cyber risk management and disclosure responsibilities.
  • Companies must disclose their risk management, strategy, and governance processes to meet the new requirements.
  • Material cybersecurity incidents must be disclosed within four business days of determining materiality.
  • The rules will impact both public and private companies.
  • The state of cyber compliance is impacting all companies, not just public ones.
  • Leaders can prepare for the new rules by investing in employee training and breaking down internal silos.
  • Third-party assessments can help companies assess their cyber risk management program.
  • Timely disclosure is now a necessary component of any viable cybersecurity program.

The Securities and Exchange Commission (SEC) has finalized cybersecurity rules that expand public companies’ cyber risk management and disclosure responsibilities. The rules require companies to disclose their risk management, strategy, and governance processes, as well as the roles of both management and boards, in assessing and managing cyber risk. This includes disclosing the committees responsible for cybersecurity oversight and how they are kept informed.

In addition, public companies must disclose material cybersecurity incidents within four business days of determining materiality. Materiality is determined based on quantitative and qualitative factors, and companies must be confident in their ability to quickly detect and analyze a breach and report their findings to internal and external stakeholders.

The impact of these rules goes beyond compliance and will affect both public and private companies alike. State and local organizations have introduced similar regulations, and private companies serving public companies may become contractually required to help their public company customers comply with the new rules. This means that an increased focus on vendor risk and contractual management will be critical.

Company leaders can prepare for these new rules by investing in employee training and breaking down internal silos that may hamper collaboration in responding to a cyber incident. Even companies with mature cybersecurity programs may lack the speed of reporting necessary to meet the SEC’s requirements. By mapping out key stakeholders and the necessary information for making a materiality determination, companies can be better prepared to meet the reporting requirements.

Third-party assessments, such as a systems and organization control (SOC) for cybersecurity report, can also help companies assess their cyber risk management program and their ability to fulfill reporting requirements. These assessments can help define cybersecurity processes and readiness levels, preparing companies to answer questions from investors, regulators, and other stakeholders.

The SEC’s cybersecurity rules signal that timely disclosure is now a necessary component of any viable cybersecurity program. Companies must be able to quickly assess and report on material cybersecurity events. Reporting on these events can also help educate internal team members on their roles and responsibilities concerning cybersecurity, enhance collaboration, and better prepare companies to respond to incidents swiftly and thoroughly.


Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.