How to Approach the SEC’s New Cybersecurity Disclosure Rules

The U.S. Securities and Exchange Commission’s (SEC) adoption of new Cybersecurity Disclosure rules has put all public companies on notice. With the final rules going into effect on September 5, 2023, the countdown has officially started for companies to take action now to comply with year-end reporting requirements, with new cybersecurity disclosures required in upcoming annual reports for all companies with fiscal years ending on or after December 15, 2023.

While the final rules are more consolidated and less granular than the originally proposed rules, the new standards will still require companies to have a robust cybersecurity program that holds up to regulatory and investor expectations.

Overview of the New Requirements

Companies must disclose in their 10-K (or Form 20-F for Foreign Private Issuers) details about their processes for Cybersecurity Risk Management, Strategy, and Governance. In addition, companies will be required to report material cyber incidents by disclosing detailed information about the incident through Form 8-K (or Form 6-K for Foreign Private Issuers) within four (4) business days after determining that a material cyber incident has occurred.

For reference, see below for a summary glance of the new disclosure requirements.

How to Get Ready

Now is the time to thoroughly assess, and where needed, begin the process of enhancing your cybersecurity program. The following is a non-encompassing list of action items that companies must consider before the reporting deadline to ensure compliance:

• Perform a gap assessment against the new disclosure requirements to determine if your company is in compliance or what actions must be taken to get there.
• Identify and engage the necessary stakeholders to help with the new compliance efforts. This may include those charged with governance, C-Levels, IT & Information Security, Legal, Internal Audit, SEC Reporting, external consultants, and more.
• Conduct (or refresh) a formal cybersecurity risk assessment exercise to identify and manage material risks from cyber threats.
• Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
• Assess the current level of cyber risk oversight by management and at the governance level and determine potential enhancements needed in lines of reporting, responsibilities, and sub-committees as they relate to how your company monitors and addresses cybersecurity risk.
• Develop or refine the incident response plan to include initial and periodic reporting requirements.
• Update your third-party risk management program to ensure sufficient vendor oversight is in place, including updating requirements for third-party breach notification.
• Create a methodology for determining if a cybersecurity incident is considered material to your organization. This should include a mix of qualitative and quantitative factors tailored to measure factors such as your systems, data, people, and processes critical to your operations.
• Update SEC disclosure checklists to comply with the new cybersecurity rules.
• Keep in mind that Small Reporting Companies (SRC) have an extended compliance deadline of June 15, 2024, as it relates to reporting of material cybersecurity incidents. However, SRC’s still must comply with the Cybersecurity Risk Management, Strategy, and Governance disclosure requirements in their upcoming 10-K’s for SRC’s with fiscal year ends on or after December 15, 2023. Therefore, it is critical that SRC’s take action as soon as possible to provide ample time to achieve a desirable level of compliance by year-end.

Summary of the New Requirements

Cyber Risk Management & Strategy

Regulation: S-K Item 106(b)
Compliance Dates: Annual reports for fiscal years ending on or after December 15, 2023

1. Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
   • Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
   • Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
   • Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
2. Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

Governance

Regulation: S-K Item 106(c)
Compliance Dates: Annual reports for fiscal years ending on or after December 15, 2023

1. Describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.
2. Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
   • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
   • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
   • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Material Cybersecurity Incident Disclosure

Regulation: Form 8-K Item 1.05
Compliance Dates: December 18, 2023 for non-SRC and Starting June 15, 2024 for Small Reporting Companies (SRC)

1. If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

How Centri Can Help

At Centri, our IT risk and cybersecurity advisory and SEC compliance and financial reporting services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management and SEC compliance aligns with your company’s specific needs.

About Centri Business Consulting, LLC

Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO, and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.

For more information, please visit www.CentriConsulting.com