SEC cyber rules: Essential knowledge for boards and executives
Over the past year, the rules set by the U.S. Securities and Exchange Commission (SEC) for enhanced cybersecurity disclosures have become a standard requirement for public companies. These rules aim to keep investors better informed about a company's risk management, strategy and governance, ensuring timely notification of any incidents considered material to the business. The rules require the following:
- A written description of an organization’s processes for identifying and managing material risks from cybersecurity threats.
- Notification within four days of cybersecurity incidents deemed to be material, either individually or in combination with other similar incidents.
- Public filings and other reporting on management’s efforts to implement security procedures and serve in an oversight role.
With these requirements in place, it is crucial for companies to quickly transform cyber preparations into actionable strategies and for boards to enhance their disclosure and oversight responsibilities.
What boards need to know
The SEC’s final rules went into effect mid-December 2023 following publication in the Federal Register. In the meantime, what actions do boards need to take today, as well as further down the road? How can directors increase their cyber-savviness, and what do they need to know for the future?
“Boards, CEOs, and CFOs want to be looking at these disclosures to make certain that they’re accurate and there’s operating processes in place that are really effective around these risk management areas,” Barbara Berlin, managing director of PwC’s Governance Insights Center, said in an episode of Inside America’s Boardrooms.
Under the rules, disclosures fall into the following buckets: cybersecurity incidents/overall strategy, risk management and governance. The latter covers many things: risk assessment processes, how the company manages risk by detecting threats and protecting information, business continuity and recovery plans — the list goes on.
Not only will directors need to get used to a new level of disclosure, but they will also need to accustom themselves to new processes. For starters, disclosures on strategy, risk management and governance will now be part of a 10K, rather than the proxy statement as many people expected, Berlin said. “I think this is a pretty significant change,” she said.
Another big change: Disclosing cyber incidents in an 8K, which Berlin estimates only 20% of companies do right now.
Boards can strengthen their cyber knowledge and readiness through:
- Bringing in outside experts for board briefings
- Requiring outside cybersecurity courses and credentials for directors
- Examining the existing knowledge base — is there a cyber expert on the board already, and what are their credentials and expertise?
Finally, all directors should have a macro view of the organization’s cyber programs through assessments and frequent communications with top technology leaders. This is necessary for both overseeing cyber risk and considering these risks in business strategy, financial planning and capital allocation processes. For example, does the organization have adequate insurance and planning in the event of a cyber breach? Is the company modeling the range of financial impacts?
Myrna Soto, CEO and founder of Apogee Executive Advisors, emphasized the governance, risk and compliance (GRC) connection at Diligent’s 2022 Modern Governance Summit — the need to understand what’s being disclosed and the “so what?” from a business standpoint.
“Putting it into business terms works magic in the organization,” she said. “Because when you can contextualize it, now you have to go to a line leader or technology leader and say hey, I really need you to work with me on this project and I need you to give me visibility into what you’re doing.”
What CTOs, CISOs and CIOs need to know
On the management side, what do chief technology, information security and information officers need to know about the SEC regulations? What must they do to ensure compliance? How can they set themselves up for success in the future?
First of all, given the compressed timeline for disclosing material cyber incidents, CTOs, CISOs, and CIOs need to make sure cyber reporting is plugged into controls and procedures for disclosures, and ensure clarity in terms of elevating cyber incidents. When does an incident qualify for board notification, and who does the notifying?
Does the company have a top leadership role like a Chief Information Security Officer? What are their credentials? Who does this person report to — and is this reporting independent of the overall IT organization, similar to how internal audit typically doesn’t report within an organization’s overall finance operations?
Bob Ackerman, managing director and founder of AllegisCyber Capital, presents a case for making cyber risk part of the auditing process. “The annual audit is based on an understanding of the company’s business, its risks and its controls to mitigate those risks. It’s a simple, logical conclusion that cyber risk — when measured objectively and with scientific rigor — should be included as part of how the industry and regulators measure and analyze systemic risk for every company.”
Finally, CTOs, CISO, and CIOs must do their part in ensuring — and documenting — a comprehensive cybersecurity program. Some next steps to ensure the necessary nuts and bolts include:
- Administering cyber training for all employees
- Evaluating systems through a third-party cyber penetration testing firm, or white and gray hat cyber exercises
- Upgrading security and backup systems as needed
- Supplementing internal cyber monitoring efforts with those of an externally managed services provider
- Continuously monitoring cyber activity in real time and measuring this activity against security tools and controls
“Measuring the effectiveness of a cybersecurity program is still a rather new concept. But cybersecurity isn’t unknowable,” says Ackerman. “Its complexity doesn’t exempt it from measurement. Today there are many more tools and processes to continuously monitor and measure controls compared to just a few years ago.”
Learn more about how Diligent can help prepare your board for enhanced cybersecurity disclosures.
Transform cyber risk into a strategic advantage
Whether you're on the board, an executive or a risk practitioner get ready to learn powerful strategies for aligning cybersecurity priorities with business goals, enhancing risk reporting and building stronger board engagement in cyber risk management. Sign up for our Cyber Risk Virtual Summit now.
Secure your spot today and join us in steering the future of cybersecurity across the globe.
- Register for the AMERICAS event here (February 5, 2025)
- Register for the EUROPE, MIDDLE EAST and AFRICA event here (February 5, 2025)
- Register for the ASIA-PACIFIC event here (February 6, 2025)
Keep exploring
9 strategic risk examples and how to successfully tackle them
Organizations today face many and varied examples of strategic risk. Familiarize yourself with each type to optimize your risk management approach.
A buyer’s guide to IT Risk Management software
Learn what features to look for and questions to ask when choosing an IT risk management solution.
Cybersecurity governance and the CISO's dilemma
In this episode, Jim Alkove, co-founder and CEO of cybersecurity company Oleria, shares insights for CISOs.
