AB AR SEC Cybersecurity Rules Update The Complete Guide
AB AR SEC Cybersecurity Rules Update The Complete Guide
AB AR SEC Cybersecurity Rules Update The Complete Guide
Rules Update
The Complete Guide
Table of
Contents
Introduction 1
What to Know Now: Dates and Basic Action Plan 3
Overview of the SEC Cybersecurity Disclosure Requirements 5
How to Prepare for Compliance With SEC Cybersecurity Rules 17
The SEC Cybersecurity Rules Demand Integrated Risk Management 19
Introduction
Every company should feel urgency about maturing cybersecurity
risk management. That’s the core message behind the heightened
regulatory focus on cybersecurity — and with the U.S. Securities
and Exchange Commission’s (SEC’s) final cybersecurity disclosure
requirements for public companies taking effect in September
2023, it’s about to get real. The SEC cybersecurity rules will have a
significant impact on your organization and role.
auditboard.com 1
The risk is widespread and likely underreported. Citing a recent Whatever your business or industry, it’s time to get your head around
study showing that 98% of organizations use at least one third- the SEC’s cybersecurity disclosure rules and similar legislation
party vendor that has experienced a breach in the past two expected in 2023. Disclosure will require both accuracy and speed:
years, the SEC has decreed that the time is now for enhancing and accuracy to determine the materiality of cybersecurity incidents,
standardizing cybersecurity disclosures. and speed to meet the 4-business-day requirement for disclosing
material cybersecurity incidents. Plus, the SEC’s final rule marks a
If you’re a leader at a private company, you may be thinking, “But critical development in regulating cyber risk that underscores the
this doesn’t apply to me.” You’re right. Officially, it doesn’t. But many importance of getting integrated risk management (IRM) processes
private companies are third parties to public companies – and thus in place — not just to comply with SEC cybersecurity rules, but to
potentially liable for any cyber incidents impacting public companies. ensure you’re doing the right things to protect, defend, and enhance
Plus, investors and other stakeholders often hold private companies your business.
to the same standards as public companies, and the SEC’s final rule
is a good example of what we can expect from other cybersecurity
legislation on the horizon, much of which goes beyond public
companies. Most importantly, to find a cybersecurity solution
for everyone, we need to admit that cybersecurity is everyone’s
problem — and good cybersecurity risk management, strategy,
and governance principles are universally applicable.
auditboard.com 2
What to Know Now:
Dates and Basic Action Plan
So, which rules apply to your business, when do they take effect, and what needs to happen to get your business on the path to compliance?
The table below offers an overview, breaking the new rules down into key items, compliance dates, and recommended actions.
auditboard.com 3
What to Do Now
Now that you’re clear on applicability, dates, and recommended
actions, make sure you’re clear on what they mean for your
organization in the short term. In particular:
In other words, you may have less time than you think. Your
organization should be working NOW to get the processes
and technologies needed to support effective cybersecurity
disclosures in place by December 31. For most organizations,
that includes assessing gaps, establishing and integrating disclosure
processes, developing capabilities, and updating risk quantification
and incident management processes (including setting thresholds
and building workflows to assess materiality), engaging the board,
and more.
auditboard.com 4
Overview of the SEC Cybersecurity
Disclosure Requirements
The overview table and detailed breakdowns below simplify the how, when, and what of the final rules. By adopting these final rules, the SEC
aims to provide greater transparency into how companies are managing their cybersecurity risk; accordingly, mandatory disclosures will be
made via Form 8-K, 8-K/A, and 10-K filings (20-F, 6-K, and 6-K/A filings for foreign private issuers), meaning that all information becomes
public record. There are no requirements for the SEC to keep any information non-public. That means investors and other stakeholders can
use it in their decision-making — and regulators and attorneys can use it for their purposes.
With that in mind, I’ve gone through the complete release with a fine-toothed comb to create a summary table that tells you everything you
really need to know. For the sake of simplicity, our summary focuses on the requirements for US companies. Following the overview table, you’ll
also find a more detailed discussion of each disclosure requirement highlighting key considerations and differences between the draft and final
regulations. All page numbers refer to the SEC’s final rule PDF (which has been conformed to the Federal Register version).
Note that the SEC has divided the requirements into two reporting categories: “current,” which includes material incident disclosures made in 8-K
filings, and “periodic,” which includes required disclosures on cybersecurity risk management, strategy, and governance provided via 10-K filings.
auditboard.com 5
auditboard.com 6
auditboard.com 7
Disclosure Requirements for
Material Cybersecurity Incidents
To keep it simple, the SEC’s current reporting requirements (Form 8-K circumstances, written notification from the AG to the SEC is
Item 1.05) are about being able to: required. (See pp. 34-35.)
1. Identify material cybersecurity incidents. • For entities subject to the Federal Communications
2. Quantify their impact. Commission’s (FCC’s) customer proprietary network
information (CPNI) rule. The SEC permitted this exception
There will be a lot to pull together in a very short time frame, from the given concerns about a potential conflict with existing FCC
material incident determination to 8-K filing. For most organizations, rules. (See pp. 41-42.)
this will require much more timely investigation and quantification
• No required disclosures regarding remediation status. The final
around cybersecurity risk than is being done today.
rule did not adopt the proposal to require disclosure regarding the
The final rule includes several noteworthy changes from the original incident’s remediation status, whether it is ongoing, and whether
proposal, including: data were compromised. The SEC considers that registrants
will determine as part of materiality analyses whether such
• No specific materiality definition. The SEC declined to adopt
disclosures are necessitated. (See p. 30.)
a cybersecurity-specific materiality definition, stipulating, “we
expect that registrants will apply materiality considerations • No required disclosure of immaterial cybersecurity incidents
as would be applied regarding any other risk or event that a in aggregate. The proposal to require disclosure when a series
registrant faces.” (See p. 80.) of previously undisclosed individually immaterial cybersecurity
incidents become material in the aggregate was not adopted.
• Limited delays permitted:
(See pp. 52 and 140.)
• In verified matters of national security or public safety.
• No aggregation requirement for related incidents. The
Companies may delay disclosure if the U.S. Attorney General
proposed aggregation requirement to capture the material
(AG) “determines immediate disclosure would pose a
impacts of related incidents was not adopted. (See p. 52.) That
substantial risk to national security or public safety.” In these
auditboard.com 11
said, the SEC’s adopted definition of “cybersecurity incident”
does extend to “a series of related unauthorized occurrences.”
auditboard.com 12
Disclosure Requirements for
Cybersecurity Risk Management
and Strategy
The final rule includes a few noteworthy changes from the original
proposal, including:
auditboard.com 13
to the investment decision of investors… while steering clear of
security sensitive details,” including:
auditboard.com 14
Disclosure Requirements for
Cybersecurity Governance
Finally, the cybersecurity governance disclosure requirements
(Regulation S-K Item 106(c)) ask companies to account for how
material cybersecurity risks are overseen at the board level, assessed
and managed at the management level, and communicated
to the board. This approach encourages a fresh look at how
cybersecurity risk management connects with strategy and
integrates with overall risk management.
auditboard.com 11
It’s important to appreciate that, if the SEC had mandated the
disclosure of board cybersecurity expertise, it may have offered
investors a deceptive comfort. Board members’ fundamental role is to
oversee risk, not directly handle it. Their expertise should be reflected
in their ability to guide, not operate. That said, even without a concrete
mandate to disclose cybersecurity proficiency within the board, the
need for it remains implicit in the final rules.
auditboard.com 16
How to Prepare for Compliance
With the SEC Cybersecurity Rules
The best way to organize your to-do list is to start at the end and work backwards: Make sure you understand the final rules,
and let that guide your analysis of what needs to be done. Look beyond disclosure preparation to ensure you have the needed
infrastructure in place. Use the recommended action plan provided above to get started.
Again, to ensure the speed and accuracy needed for identifying incidents, assessing materiality, and preparing disclosures within
the 4-business-day requirement, an IRM approach will be critical. IRM and IRM technologies can help you connect and streamline
processes, controls, and teams to enable effective cross-functional collaboration and risk and impact quantification. The graphic
below illustrates the interplay between the new rules and the bigger picture of IRM and IRM technologies, including the four
universal IRM objectives of better performance, stronger resilience, greater assurance, and more cost-effective compliance.
Most companies have work to do in connecting technology and teams. AuditBoard’s 2023 Digital Risk Report
found that only 30% of organizations currently use cloud-based risk management software to manage digital
risk. Another 18% use on-premises risk management software, 44% still rely on manual technologies (e.g.,
spreadsheets, email, shared drives, and SharePoint), and 8% do not manage digital risk at all.
auditboard.com 18
The SEC Cybersecurity Rules Demand
Integrated Risk Management
With their final rules, the SEC has elevated IT risk and cybersecurity Every organization should recognize that the SEC cybersecurity
as true business risks. This is an important step in helping rules are part of a larger trend toward integrated reporting and
organizations to understand and manage their entire spectrum of risk management. Just like standalone financial reports don’t give
strategic, operational, financial, and digital risks, helping them to make the full picture of how a business is doing, disconnected technologies
more informed, timely, and strategic decisions. But companies face aren’t effective in meeting today’s risk management challenges.
significant challenges in maturing risk management and determining Integrated technology solutions bring together different data and
materiality. According to the SEC’s 1999 Staff Accounting Bulletin No. perspectives into a common risk framework — creating an integrated
99 and a March 2022 statement from Acting Chief Accountant Paul view of risk that connects people, increases understanding, enables
Munter, determining materiality is both qualitative and quantitative. prioritization, and supports performance, resilience, assurance, and
It cannot be calculated using a formulaic method. As I told compliance. If your organization is still dragging its feet on integrating
InformationWeek, “Determining materiality for cybersecurity will, in my risk management, 2023 is the time to get moving.
opinion, require an integrated view of risk — tying cybersecurity to
critical areas of the business operations. Without this view, the impact
on a reasonable investor cannot be determined.”
auditboard.com 19
About the Author About AuditBoard
AuditBoard is the leading cloud-based platform transforming audit,
risk, IT security, and ESG management. More than 40% of the Fortune
500 leverage AuditBoard to move their businesses forward with
greater clarity and agility. AuditBoard is top-rated by customers on
G2, Capterra, and Gartner Peer Insights, and was recently ranked for
the fourth year in a row as one of the fastest-growing technology
companies in North America by Deloitte. To learn more, visit:
John A. Wheeler is the Senior Advisor, Risk and Technology for
AuditBoard.com.
AuditBoard, and the founder and CEO of Wheelhouse Advisors. He
is a former Gartner analyst and senior risk management executive © 2023 AuditBoard, Inc.
with companies including Truist Financial (formerly SunTrust), Turner
Broadcasting, Emory Healthcare, EY, and Accenture.
auditboard.com 20