What to Be Aware of for Public Company Compliance with the SEC’s New Cybersecurity Disclosure Rules
The U.S. Securities and Exchange Commission’s (SEC) adoption of new Cybersecurity Disclosure rules have put all public companies, their investors, and auditors on notice. With the final rules having gone into effect on September 5, 2023, the countdown has officially started for companies to take actions now to comply with year-end reporting requirements, with new cybersecurity disclosures required in upcoming annual reports for all companies with fiscal years ending on or after December 15, 2023.
While the final rules are more consolidated and less granular than the originally proposed rules, the new standards still require companies to have a robust cybersecurity program that holds up to regulatory and investor expectations.
Overview of the New Requirements
Companies must disclose in their 10-K (or Form 20-F for Foreign Private Issuers) details about their processes for Cybersecurity Risk Management, Strategy, and Governance. In addition, companies will be required to report material cyber incidents by disclosing the nature, extent, and timing of the incident through Form 8-K (or Form 6-K for Foreign Private Issuers) within four (4) business days after determining that a material cyber incident has occurred.
For reference, see below for a summary glance of the new disclosure requirements.
Action Items
Now is the time for each publicly traded company to thoroughly assess, and where needed, beginning the process of enhancing their cybersecurity program. The following are a non-encompassing list of action items that companies, and their auditors must consider before the reporting deadline to ensure compliance:
- Perform a gap assessment against the new disclosure requirements to determine if the company is in compliance and what actions need to be taken to get there.
- Identify and engage the necessary stakeholders who should help with the new compliance efforts. These may include those charged with governance, C-Levels, IT & Information Security, Legal, Internal Audit, External Auditors, SEC Reporting, external consultants, and more.
- Conduct (or refresh) and document a formal cybersecurity risk assessment exercise to identify, manage, and assess material risks from cyber threats.
- Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
- Assess the current level of cyber risk oversight by management and at the governance level and determine potential enhancements needed in lines of reporting, responsibilities, and sub-committees as they relate to how each company monitors and addresses cybersecurity risk.
- Develop or refine an incident response plan to include initial and periodic reporting requirements.
- Update or establish a third-party risk management program to ensure sufficient vendor oversight is in place, including updating requirements for third-party breach notification.
- Create a methodology for determining if a cybersecurity incident is considered material to each organization. This should include a mix of qualitative and quantitative factors and should be tailored to measure factors such as company systems, data, people, and processes that are critical to operations.
- Update SEC disclosure checklists to comply with the new cybersecurity rules.
- Keep in mind that Small Reporting Companies (SRC) have an extended compliance deadline of June 15, 2024, as it relates to reporting of material cybersecurity incidents. However, SRC’s still must comply with the Cybersecurity Risk Management, Strategy, and Governance disclosure requirements in their upcoming 10-K’s for SRC’s with fiscal year ends on or after December 15, 2023. Therefore, it is critical that SRC’s take actions as soon as possible to provide ample time to achieve the necessary level of compliance by year-end per the disclosure and auditor requirements.
Summary of the New Requirements
Cyber Risk Management & Strategy
Regulation: S-K Item 106(b)
Compliance Dates: Annual reports for fiscal years ending on or after December 15, 2023
- Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
- Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
Governance
Regulation: S-K Item 106(c)
Compliance Dates: Annual reports for fiscal years ending on or after December 15, 2023
- Describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.
- Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board
Material Cybersecurity Incident Disclosure
Regulation: Form 8-K Item 1.05
Compliance Dates: December 18, 2023 for non-SRC and Starting June 15, 2024 for Small Reporting Companies (SRC)
- If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
How Centri Can Help
At Centri, our IT risk and cybersecurity advisory and SEC compliance and financial reporting services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management and SEC compliance aligns with your company’s specific needs.
Editor’s note: This article was originally published on August 29, 2023. It was updated on November 15, 2023.
Managing Director | IT Risk & Cybersecurity Practice Leader | CISA
Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio
Director | CPA, PMP, CISA, CFE
Karyn is a Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 JFK Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree Street NE
Suite 1000
Atlanta, GA 30361
50 Milk Street
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
8310 South Valley Highway
3rd Floor
Englewood, CO 80112
1-855-CENTRI1
virtual@CentriConsulting.com