New SEC Cybersecurity Disclosure Requirements: Does Your Company Have a Disclosure Plan?
On July 26, 2023, the SEC adopted new cybersecurity disclosure rules required for all publicly traded companies in their upcoming annual reports beginning with December 18th year-end filers or later. This means that for all 12/31 year-end companies, the new Cybersecurity Risk Management, Strategy, Governance, and Incident Response Disclosure Rules must be addressed and disclosed in the upcoming 10-K.
The updated requirements are exceedingly stringent, but at a high level, these new mandates set strict guidelines for:
- Maintaining a comprehensive cyber risk management program and processes to identify, manage, and reduce cyber risk exposure
- Governance of cyber risk management, including leadership oversight, monitoring, and accountability for cyber risk management programs
- Disclosure of material cybersecurity incidents four business days after deemed material
Why Is This important?
The successful implementation and maintenance of the items highlighted above reduces risk exposure, provides a roadmap of the different risk areas that impact your organization, and critical categorization and management processes for risk mitigation. Having a detailed inventory of applicable risks and how to respond will allow organizations to proactively monitor and manage the threat landscape, help comply with regulatory requirements, and provide investors clearer visibility into the cyber risk management practices that help protect the company and prevent future financial losses.
How is Your Company Preparing the New Disclosure Requirements?
As 10-K filing deadlines draw closer and closer, it’s crucial that each company has a plan for developing the new Cybersecurity Risk Management, Strategy, and Governance Disclosure in S-K Item 106, as required. Keep in mind this can’t be the same ‘rinse & repeat’ approach that may be used for other established and unchanged disclosure requirements. Preparers must develop risk management descriptions that address each of the newly required disclosure points of focus. For companies that don’t have a centralized disclosure preparation process or without expertise regarding the new cyber requirements, waiting to address the requirements and assemble the disclosure until the last minute is ill-advised. Each company should prepare in advance for how they will comply and who will be responsible for developing the disclosure. Whether it’s internal teams or through the use of outside consultants, having a plan may be the difference between successful or unsuccessful disclosure compliance.
How Centri Can Help
Centri has been following the SEC rollout of these requirements closely. We have performed extensive research and training and are well-prepared to guide your organization through this transition. Our team has the expertise needed not only to help your organization reach compliance but also to craft a personalized disclosure template to be enclosed with your 10-K filing.
Our tailored approach will take you through the necessary steps to ensure the successful and timely implementation of these requirements and help develop the new disclosures required for filing as efficiently as possible, with minimal disruption to your daily business needs.
At Centri, our IT risk and cybersecurity advisory and SEC compliance and financial reporting services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management and SEC compliance aligns with the specific needs of your company.
Managing Director | IT Risk & Cybersecurity Practice Leader | CISA
Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio
Director | CPA, PMP, CISA, CFE
Karyn is a Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio
Senior Manager | CPA
Kevin is a Senior Manager at Centri Business Consulting within the Risk Advisory Practice. He has more than 13 years of experience in internal audit, SOX testing, and risk advisory services. View Kevin Zeina's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 JFK Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree Street NE
Suite 1000
Atlanta, GA 30361
50 Milk Street
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
8310 South Valley Highway
3rd Floor
Englewood, CO 80112
1-855-CENTRI1
virtual@CentriConsulting.com