Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Have You Met the SEC’s Cybersecurity and Disclosure Rules?
Learn more about the SEC’s Cybersecurity and Disclosure rules put into place last year, how to be prepared, and what constitutes materiality.
4 Min Read
Louisa Svensson via Alamy Stock
It’s been a year since the Securities and Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules, and about six months since they have been in effect. These mandates require organizations to disclose any material cybersecurity incidents they’ve experienced as well as report material information regarding their cybersecurity risk management, strategy, and governance annually.
While these rules are meant to help provide better transparency for stakeholders, organizations who must comply still face many challenges when it comes to filings and disclosures. Yet not all questions have to go unanswered. Looking at what has been successful for other companies to date can give insight into best practices and help others get on track to ensure they abide by SEC regulations.
Documenting Your Cybersecurity Strategy
A common question that is still top of mind for many organizations is where to start when documenting their cybersecurity strategy. Organizations are required to complete several forms and reports, such as the 8-K and 10-K forms. The 10-K form is required to show what processes, if any, an organization has for assessing, identifying, and managing cyber risks and threats. Additionally, the form includes space for documenting the material effects of risks from current cybersecurity threats and previous cybersecurity incidents. Organizations must also describe their board of directors’ oversight of risks from cybersecurity threats and their management’s role and expertise in assessing and managing cybersecurity risks.
The first step any organization should take is doing an audit to understand where gaps exist so that you can accurately report on those, take steps to address them, and ultimately meet all the requirements. One way to do this is via SEC-based readiness assessments, which can assist with identifying IT compliance alignment with SEC rules and provide clarity for strategy development around any areas of improvement. This process will help identify where cybersecurity measures may be lacking and lay the groundwork for effective compliance strategies.
What Constitutes Materiality?
Materiality refers to the significance of the cybersecurity incident in terms of its potential impact on your organization's financial condition, operations, or reputation. The determination of materiality often involves assessing various factors, including:
Financial impact: Potential or actual financial losses for your organization, including costs related to data breaches, ransomware activity, system recovery, legal fees, regulatory fines, and loss of revenue.
Operational impact: Disruptions to business operations, including the inability to access critical systems, data loss, and interruption of services. These disruptions can be calculated using mean time to detect (MTTD) and mean time to resolve (MTTR) key performance indicators.
Reputational impact: Potential damage to the organization's reputation and brand, which can result in loss of revenue, customer trust, negative media coverage, and even long-term impacts on business relationships.
Legal and regulatory implications: Compliance with legal and regulatory requirements for your industry, including obligations to report breaches within specific timeframes and the potential for regulatory penalties.
Customer and stakeholder impact: Effects on your customers, suppliers, and other stakeholders, including data breaches that compromise personal information.
8-K Requirements and How to Stay in the 4-Day Window
As part of the SEC rules, organizations are required to fill out an 8-K form, detailing their cybersecurity incidents. An 8-K form must be filled out and filed within four business days, which can be challenging for organizations that don’t have a CISO in-house or an organized cybersecurity framework. To ensure that your organization remains compliant with the four-day window and has a robust IT stack to deal with any incidents listed in an 8-K form, organizations should:
Conduct a preliminary assessment to gauge the potential impact of the incident. Even if the full details are unknown, an initial evaluation can provide an early indication of materiality.
Follow the regulatory requirements for reporting cybersecurity incidents. Many regulations allow for initial reporting with subsequent updates as more information becomes available.
Communicate with key stakeholders, including any regulators, customers, and partners, and inform them of the incident. Provide periodic updates as the investigation progresses. Transparency is crucial in managing reputational risks.
Seek guidance from legal experts to ensure compliance with relevant laws and regulations. They can provide crucial advice on reporting obligations and help your organization navigate the complexities of the incident.
Keep detailed records of the cyber incident, the steps your organization has taken to assess and mitigate the impact of the incident, and any communications with stakeholders. Good documentation is essential for regulatory compliance and future reference.
Addressing the SEC’s rules regarding risk management, training, and governance within your organization is not only required, but can ultimately improve security posture and increase resilience. Effective risk management, comprehensive employee training programs, and clear policies and procedures all play a role in establishing a security-first culture that promotes transparency and accountability. With the right tools, partners, and processes in place, organizations can create a strong foundation for security and success, enabling them to navigate challenges confidently and maintain stakeholder trust.
About the Author
You May Also Like
More Insights
