The Securities and Exchange Commission (SEC) recently adopted significant changes around cybersecurity risk management, strategy, governance, and incident disclosure requirements for public companies. These new rules will require public companies to expand their cybersecurity preparations and provide more transparency to investors around cyber risks and incidents.
While the new requirements directly impact publicly traded companies in the US, they have broader implications for cybersecurity practices at organizations of all types and sizes. Below is an overview of the key rule changes and what businesses across sectors can do to prepare.
Overview of the SEC Cybersecurity Rules
The SEC rules focus on three primary areas:
Cyber Risk Management and Strategy
- Public companies must disclose whether they have designated cybersecurity expertise at the board level.
- Firms must establish and document cybersecurity policies and procedures that are reviewed at least annually.
- Companies must develop cybersecurity risk management strategies identifying material risks, assessing potential impacts, and detailing efforts to manage them.
- Material cybersecurity incidents must be reported to the SEC within four days. Updates on initial reports are expected promptly.
- Material incidents are defined as reaching a threshold reasonable investors consider important to their decision-making.
- Reported details must include incident effects, remediation efforts, cyber insurance impacts, and estimated costs.
- Companies must report if they have a board member, board committee, or other governance body oversight focused on cybersecurity.
- Cyber expertise must be considered when selecting the board of directors members.
- New cybersecurity disclosures are required in proxy statements and annual reports.
Impacts for All Organizations
While mandated for public companies, elements of the SEC rules represent oversight of risks and cybersecurity best practices that can benefit organizations in any sector:
- Documenting cyber policies, procedures, response plans, and risk strategies ensures systematic preparedness and accountability.
- Regular cybersecurity reviews and board reporting ensure that controls align with the threat landscape.
- Describing cyber expertise involved in oversight highlights commitment and competence around security.
- Prompt reporting on material cyber incidents allows customers, partners, and regulators to assess potential impacts on themselves.
Steps Enterprises Should Take Now
All enterprises should incorporate cybersecurity into their business strategy, proactively assess their cybersecurity programs, and consider improvements in areas like:
Cyber Risk Management
- Perform assessments covering assets, controls, vulnerabilities, financial/operational impacts, and incident probabilities. Update regularly.
- Define risk management strategies across security, IT, legal, finance, HR, PR, business continuity planning, and other groups.
- Document cybersecurity policies, standards, procedures, and controls in a central repository. Review at least annually.
Incident Response Preparedness
- Establish incident response plans detailing roles, communications protocols, investigation procedures, mitigation, and public disclosure policies.
- Conduct tabletop exercises to validate response plans across the organization. Identify potential gaps.
- Explore cyber insurance options that could offset the costs of incidents, liability claims, or business interruptions.
- Involve leadership and boards in governance, planning, risk assessments, and program reviews.
- Consider forming board committees or advisory groups focused on cyber risks and strategy.
- Require cybersecurity sign-off for change management decisions that could increase risks.
Vendor and Supply Chain Risk Management
- Assess cyber risks from vendors, partners, and across supply chains. Coordinate mitigations.
- Negotiate cybersecurity terms in contracts like mandatory incident notification, liability limits, assurance reports, and audit rights.
- Review board and executive skills to determine relevant expertise and if additional cybersecurity expertise is needed.
- Implement cybersecurity training, certification, and retention initiatives to build a robust cybersecurity workforce.
Positioning Cybersecurity Programs for the Future
The SEC rules highlight rising expectations from regulators and shareholders around cybersecurity governance, planning, transparency, and disclosures.
While public companies are the focus of these specific regulations, the guidance provides an essential overview of cybersecurity best practices that all organizations should consider adopting.
Those who demonstrate systematic cyber risk management, response readiness, and governance will gain trust and competitive advantages. By proactively aligning to these cybersecurity leading practices, businesses can confidently showcase their commitment to customers, partners, investors, and regulators.
Contact us to learn how we can help you become more proactive with cybersecurity.