A Practical Guide to the SEC Cybersecurity Rules

By Nitzan Gursky
image March 22, 2024 image 6 MIN READ

Imagine making a significant stock investment in the latest hot tech startup—only to find out, much later, that the firm had been the victim of an undisclosed data breach that seriously damaged its customers, reputation, and infrastructure. Would you have invested in the first place had you known the truth? 

Fortunately, investors no longer have to dread the financial losses of this scenario thanks to the new U.S. Securities and Exchange Commission (SEC) cybersecurity rules that place significant new reporting requirements on public companies under their jurisdiction. The 2023 FBI IC3 report revealed that data breaches caused over $534 million in losses last year, showing the need for better cybersecurity regulations and disclosures in the financial sector.

The new regulations require reporting any ‘material cybersecurity incident’ to the SEC, in their prescribed format, within four business days of the incident occurring. In addition, you must have processes to rapidly determine whether an incident is ‘material’ and have management and board responsibilities assigned to assess and manage material cybersecurity risks. 

Security training and awareness programs are widely recognized as essential components of the kind of effective security strategy that the SEC expects to comply with the new rules.

Is your financial organization’s cybersecurity program disclosure-ready and compliant with the new SEC cybersecurity rules? Let’s examine the key elements of the rules to find out.

The New SEC Cybersecurity Rules: What are they, and who are they for?

The new SEC cybersecurity rules are now in effect, applying to annual reports for fiscal years ending on or after December 15, 2023.

These regulations seek to enhance and standardize cybersecurity disclosures to be ‘more consistent, comparable and decision-useful.‘ They’re designed to introduce greater transparency for all stakeholders regarding the incidence of cybercrime and ensure that organizations have appropriate cybersecurity risk management, strategy, and board-level governance to protect and defend the business.

The New SEC Cybersecurity Rules: What are they, and who are they for?

The new rules apply to public companies subject to the Exchange Act’s reporting requirements. However, the Final Rule release notes that ‘a recent study by two cybersecurity firms found that 98 percent of organizations use at least one third-party vendor that has experienced a breach in the last two years,’ highlighting a potential indirect vulnerability for public companies.

In other words, while your company may be private, you must comply with the new SEC rules if you have a vendor agreement with a public company. Further, given the significant risk from cybercrime, it makes sense to have a mature cybersecurity risk management strategy in place to comply with SEC rules while safeguarding your business and reassuring your clients. 

What’s in the New SEC Cybersecurity Rules

The new rules focus on improving and standardizing disclosures related to cybersecurity incidents, as well as reporting on cybersecurity governance, risk management, and strategy for public companies. 

Specific requirements include:

1. Disclosure of Cybersecurity Incidents

The SEC’s new disclosure rules aim to increase transparency and provide investors with crucial information about potential risks. Here’s what you need to know about the disclosure process:

Disclosure of Cybersecurity Incidents

In the event of a cybersecurity incident, you are obligated to determine, ‘without unreasonable delay,’ if the incident is considered ‘material.’ This means you need to assess the potential impact on the company’s finances, operations, or reputation.

Material Cybersecurity Incidents

If you determine the incident as ‘material,’ you must file a report using SEC Form 8-K within four business days. This report should detail the incident’s nature, scope, and timing, along with its material impact or reasonably likely material impact.

Determining Materiality

There isn’t a specific financial threshold for materiality. However, the SEC offers guidance based on precedent, referencing a 1976 Supreme Court opinion by Justice Thurgood Marshall. Here’s what constitutes “materiality” according to this precedent:

What’s in the New SEC Cybersecurity Rules

2. Disclosure of Cybersecurity Risk, Management, and Strategy

In their annual report, covered companies must disclose how they assess, identify, and manage material risks from cybersecurity threats using SEC Form 10-K, as per Regulation S-K Item 106(b). This filing is required to:

3. Disclosure of Cybersecurity Governance

Using SEC Form 10-K, financial organizations must set out their cybersecurity governance structure, including:

7 Steps to Prepare for Compliance with the new SEC Cybersecurity Rules

Building a robust cybersecurity program that meets the new SEC regulations requires a company-wide effort. This means bringing together key decision-makers, from the CISO and CFO to the legal team and board. Everyone needs to be on the same page to ensure adequate security management across all departments.

Here are seven key steps to ensure the processes and technologies are in place to support compliant cybersecurity risk management, strategy, governance, and incident disclosure: 

1. Identify Your Organization’s ‘Crown Jewels’

The first step is determining which critical operations and infrastructure the business relies on to function and how a cyber incident might impact these. This work will include listing and ranking all assets across your business (including IT, OT, and IoT devices) in terms of risk mitigation and incident response measures.

2. Define ‘Materiality’ As It Applies to Your Business

This critical concept in the SEC cybersecurity rules can vary as it relates to an incident’s impact on a business’s specific operations. Some materiality is not limited to financial impact but may include, where relevant, environmental impacts, impacts on health and safety, and even the broader implications for the regional or national economy.

7 Steps to Prepare for Compliance with the new SEC Cybersecurity Rules

3. Establish the Necessary Assessment Capabilities 

It’s critical to assess the materiality of a cybersecurity incident rapidly. Determine precisely how long it takes to detect, investigate, evaluate, and disclose an incident. Streamline processes and build workflows to reduce response times so that your business can, at minimum, assess and disclose a material incident within the SEC’s required four-day window.

4. Create Incident Response Plans and Disclosure Procedures 

These plans and procedures are required to comply with the new SEC cybersecurity rules. Test your disclosure controls and procedures and incident response plans to ensure they work together to address the new report disclosure requirements. Ensure the right people have the training to complete and submit the required forms.

5. Identify Responsibilities of Key Individuals

Your incident response plan should be a transparent roadmap for everyone involved in cybersecurity – from top executives (C-suite) to all employees. It should outline everyone’s role, including who they report to (up the chain) and who they coordinate with (downstream). The plan should also assign clear responsibilities for quickly sharing accurate and consistent information about any significant security incident with internal staff and external stakeholders.

6. Review Your Current Cybersecurity Risk Governance Disclosures

Review your annual reports (Form 10-K) to ensure they accurately reflect board and senior management’s oversight of cybersecurity risks. Focus on board involvement, senior management roles (CISO, etc.), and your overall risk management processes. This ensures compliance with the SEC’s new cybersecurity governance disclosure requirements.

7. Institute Regular Employee Cybersecurity Awareness Training

Regular employee cybersecurity training strengthens compliance with the SEC rules in several ways. It reduces cyber attack risks, ensures everyone understands their security role, aids in faster incident reporting, and shows a proactive approach to the SEC. Although it’s not mandatory under the new SEC cybersecurity rules, security awareness training is a recognized best practice for effective cybersecurity.

Turn the SEC Cybersecurity Rules into Strength with CybeReady

CybeReady’s training fosters a strong security culture by making security training engaging, relevant, and ongoing—empowering your financial company’s staff and stakeholders to actively protect the organization.

Turn the SEC Cybersecurity Rules into Strength with CybeReady

With cybercrime booming, the much-needed new SEC rules highlight the push for strong cybersecurity in the financial sector. These rules aren’t just about compliance—they’re essential to protecting your company’s data and reputation while also protecting investors and clients.

The good news? The SEC cybersecurity rules can also help you build a security-aware culture across your entire organization, from new employees to the boardroom. Everyone needs to be on the same page about cybersecurity to stay safe and compliant.

This is where CybeReady can help. Our automated platform makes security awareness training fun and engaging for employees with a comprehensive, up-to-date program that covers phishing simulations, security best practices, and compliance training.

Start building a robust cybersecurity culture today with a free CybeReady demo.