Share

SEC Adopts New Cybersecurity Risk Management, Governance, and Incident Disclosure Requirements

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules requiring public companies and foreign private issuers to disclose material cybersecurity incidents experienced, along with requirements for annual disclosure of details about their cybersecurity risk management, strategy, and governance. The adoption follows a prolonged comment period and a round of updates to the original rules proposed in March 2022, and represents an effort by the SEC to help investors make informed investment decisions by providing clearer visibility into each company’s commitment towards cybersecurity and the actions taken to protect their systems, data, and people.

Reporting of Material Cybersecurity Incidents and Periodic Reporting to Provide Updates about Previously Reported Incidents

• Registrants will be required to report a material cybersecurity incident within four (4) business days after determining that the incident is material. This will require companies to establish a cyber incident materiality threshold. The disclosure will need to be reported on Form 8-K and include information about the nature, scope, timing, and impact of the material cyber incident.
• Requirements for updates on previously reported material cybersecurity incidents through the registrant’s 10-Ks and 10-Qs for the period in which the update occurred.

Disclosure of Cybersecurity Risk Management, Strategies, and Governance

• Companies are required to disclose information regarding their cybersecurity policies, procedures, and governance for identifying and managing cybersecurity risks and threats.
• Details that registrants will be required to disclose in Form 10-K (and Form 20-F) include:
  • Description of the company’s cybersecurity risk management program.
  • If the registrant engages assessors, consultants, auditors, or other third parties in connection with the cybersecurity risk management program.
  • How the company manages and oversees their vendors and associated access to data.
  • A description of how the company undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents.
  • If the company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
  • How cybersecurity risks are considered and integrated as part of the company’s business strategy, financial planning, and capital allocation.
  • Requirements for disclosure about a registrant’s cybersecurity governance, including the board’s involvement, expertise, and oversight over cybersecurity risk.
  • Management’s role and expertise in assessing and managing material risks from cybersecurity threats.
  •  

Compliance Dates for Registrants

• Compliance with the incident disclosure requirements begins the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023, and must be reported in Item 1.05 on Form 8-K within 4 business days of the material incident determination.
• Compliance with cyber risk management disclosure requirements will begin with annual reports for fiscal years ending on or after December 15, 2023 (in Form 10-K and Form 20-F).
• Smaller Reporting Companies will have an additional 180 days and must comply with material incident disclosures in Form 8-K on the later of 270 days from the effective date of the rules or June 15, 2024.

What Should Companies Do Now?

• Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
• Adoption of an annual externally performed cybersecurity risk assessment to identify vulnerabilities and weaknesses and a path forward for resolution and mitigation.
• Assess the Board of Director’s current role in cybersecurity risk and threat assessment, and identify if any members qualify as a ‘cyber expert’.
• Develop or refine the incident response plan to include initial and periodic reporting requirements.
• Update and refine the vendor risk management program.
• Create a methodology for determining if a cybersecurity event is considered material to your organization.
• Harden current security configurations or adopt new security measures to reduce the likelihood and impact of threat actors.
• Update SEC disclosure checklists to comply with the new cybersecurity rules.

How Centri Can Help

At Centri, our IT risk and cybersecurity advisory and SEC compliance and financial reporting services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management and SEC compliance aligns with the specific needs of your company.

Karyn DiMassa

Director | CPA, PMP, CISA, CFE

Karyn is a Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio

Rich Sowalsky

Managing Director | IT Risk & Cybersecurity Practice Leader | CISA

Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio