![[2023-08-22-07-33-06]___SEC-Blog-Image-800x420_2](https://www.logicgate.com/wp-content/uploads/2023/08/2023-08-22-07-33-06___SEC-Blog-Image-800x420_2.png)
A Look Back at LogicGate’s 2024 Annual Agility User Conference
In March we hosted our annual Agility User Conference in Chicago gathering hundreds of Compliance, Cybersecurity and Risk…
Cyber attacks have been around for as long as the internet has existed, but they’ve been growing in severity, sophistication, and volume over the last few years. They’ve crippled industries, stolen reams of sensitive data, and demanded eye-popping ransoms from their victims.
The United States’ federal government has taken notice of this trend — and now they’re taking action: The SEC approved new cybersecurity rules on July 26, 2023 that target publicly traded companies, especially in the tech industry.
These rules introduce new disclosure requirements for cybersecurity incidents, and mandate reporting on how companies are managing cyber risk, among other requirements, and they stand to substantially alter the way organizations must approach cyber risk management.
Organizations with existing cybersecurity risk management programs will need to update them to ensure they meet the standard necessary for complying with the rules’ requirements, while companies that haven’t stood up cyber risk programs will need to quickly do so to meet the December 2023 compliance deadlines.
In this article, we’ll unpack the SEC’s new rules in detail and explore ways companies can use GRC strategies and technology to streamline compliance.
What’s in the SEC’s new cybersecurity rules?
The first step in understanding the new SEC cybersecurity rules is to get a full picture of what they’ll actually require. Let’s take a look.
Who do the rules apply to?
The new rules apply primarily to public companies operating in the United States, but they also carry implications for private companies that work with larger public companies or plan on going public in the near future, as well as foreign private issuers.
Cybersecurity incident disclosure and deadlines
The part of the rules that will have the most immediate impact and has garnered the most attention is the strict reporting timeline that requires organizations to disclose cybersecurity incidents within four days of determining that they were material in nature. These disclosure will be made on Form 8-K, the form used to report significant events that could affect shareholders.
That’s a very tight deadline, and meeting it will require every organization to have efficient and effective cyber risk management programs in place. What’s more, organizations will need to comply with that deadline for every material cyber incident. That means they’ll need streamlined, repeatable processes for making those disclosures.
In instances where there is concern that reporting a particular incident publicly within such a short time frame could cause more harm — such as tipping off threat actors or exposing the organization to additional attacks — these deadlines will be extended to 60 days. That’ll also be the case for any incidents where reporting could pose a public safety or national security threat.
Organizations will also need to report cybersecurity incidents on a quarterly and annual basis through Forms 10-Q and 10-K. These more detailed, periodic disclosures will also need to include information on how the cyber incidents an organization has experienced in the reporting window have affected or resulted in changes to its business strategy.
Form 10-K will also now require organizations to provide descriptions of their overall
Foreign private issuers will be required to report similar information on Forms 6-K and 20-F.
Requirements and compliance deadlines by form
Forms 8-K and 6-K
Compliance deadline: December 18, 2023, or 180 days after this date for smaller organizations.
Requirements:
- Disclose any cybersecurity incident determined to be material.
- Describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- Disclose whether the incident has been remediated or if remediation is ongoing.
- Must be reported four business days after a registrant determines that a cybersecurity incident is material.
Forms 10-K and 20-F
Compliance deadline: December 15, 2023
Requirements:
- Describe of cybersecurity risk management processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
- Describe processes for managing third-party cyber risk.
- Disclose any use of consultants, auditors, or other third-party service providers in cyber risk assessment.
- Describe of business continuity plans.
- Describe how cyber incidents have affected the organization’s finances or operations, and how that has informed strategy.
Form 10-Q
Compliance deadline: December 15, 2023
Requirements:
- Summary of all cybersecurity incidents reported through Form 8-K, plus updates on those incidents.
- Disclosure of any nonmaterial incidents that have become material in aggregate.
Reporting on cyber risk management and governance
Beyond the ongoing disclosure requirements, the SEC’s rules are also intended to ensure shareholders and federal regulators are informed about an organization’s cyber risk management and governance practices. To this end, organizations will be required to provide detailed descriptions of their overall cybersecurity practices and cyber risk management programs, and provide information on the board’s involvement in overseeing and managing cyber risk.
Effects on private companies
Although the rules only technically apply to publicly traded companies, private companies aren’t entirely off the hook here. Private companies that provide services to larger public companies will almost certainly find themselves under the microscope as their clients increase scrutiny of third-party risk to comply with the new rules, and private companies that plan to go public will need to prepare to start complying with the SEC’s requirements ahead of time.
How to prepare for complying with SEC cybersecurity rules
Now that we know what’s actually in the rules, let’s take a look at some steps organizations can take now to prepare for compliance.
Centralize your cybersecurity risk data
Since the new rules require both disclosure of incidents as they’re discovered and higher-level, holistic reports on your overall cybersecurity strategy on a quarterly and annual basis, the first step organizations should take is to find a way to centralize cybersecurity risk assessment and incident data.
Keeping all of this information in one place — rather than having it strewn across a mess of spreadsheets or lost in email inboxes — makes it more likely you’ll be able to meet the SEC’s strict deadlines and won’t have to spend time tracking down the information you need from various departments and stakeholders every time an incident needs to be disclosed.
Obtain cyber risk quantification capabilities
Organizations have traditionally relied on qualitative methods, like ordinal lists or red-yellow-and-green severity charts, to determine how significant a cybersecurity incident or other risk event might be, and the SEC recommends taking these types of assessments into consideration when determining incident materiality, but cyber risk quantification is a much more accurate way to understand the true financial impact of an incident.
Having a quantified understanding of the financial impact the cyber risks your organization is facing could have will also help you take the necessary steps to better mitigate your most costly risks — or better, avoid them entirely. That’ll reduce the overall volume of disclosures you’ll need to make.
Upgrade your incident management processes
Now is a good time to conduct a full review of your organization’s incident management processes and make sure they’re up to par for identifying, addressing, and reporting on cybersecurity incidents. The more streamlined and refined these processes are, the easier it will be to intercept cyber risks before they become a problem and quickly report them if they do.
Improve your cybersecurity and cyber risk governance
A big part of complying with the SEC’s new rules is making sure your board of directors is well enough informed about how your organization manages cybersecurity risk. You should put the reporting and communication processes in place to make sure that leadership is regularly receiving information about your cyber risk management efforts and any cyber incidents the company has experienced, as well as how they could affect — or are affecting — your organization’s strategy or finances.
Ensure your third-party relationships are secure
The new rules are also designed to ensure that covered organizations are assessing cyber risk beyond the walls of their own organization. The requirements for reporting on how your organization assesses third-party cyber risk and selects secure vendors means it’s imperative that you put an effective third-party risk management program into place. Indeed, supply chain attacks targeting smaller contractors and vendors are among the most common causes of cybersecurity incidents at larger organizations.
Foster a healthy cyber risk culture
Digital transformation has affected almost every organization in some way, especially in the years since the COVID-19 pandemic pushed so much of work and life online. That means more employees are connecting to organizational networks from more locations and devices than ever before, exponentially expanding our cybersecurity attack surfaces.
This trend means it’s never been more important to build a culture of cybersecurity risk awareness that positions cybersecurity as everyone’s responsibility, not just the information security team. The greater awareness of the threat cyber risk poses to your organization you’re able to instill in its members, the better your overall cybersecurity posture will be and the less time you’ll need to spend disclosing incidents to the SEC.
Get the right tools for the job
Traditional, manual methods like email or spreadsheets can no longer keep up with the rapid pace at which cybersecurity landscapes are changing. Ensuring you’re staying on top of cyber risk, managing incidents quickly and effectively, and swiftly communicating the results of these efforts requires modern GRC software.
LogicGate Risk Cloud includes everything you need to streamline and automate compliance with the SEC’s new cybersecurity rules at any scale. Risk Clouds empowers cybersecurity teams to:
- Centralize compliance management
- Automate risk assessment
- Build comprehensive reports
- Streamline employee attestation
- Manage policies and procedures
- Align your entire organization around compliance goals
- Stay up to date on evolving cybersecurity threats and changing regulations
Schedule a demo today to see how Risk Cloud can bolster your cybersecurity programs and help you build a more secure, resilient organization.