On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules requiring public companies and foreign private issuers to disclose material cybersecurity incidents experienced, along with requirements for annual disclosure of details about their cybersecurity risk management, strategy, and governance. The adoption follows a prolonged comment period and a round of updates to the original rules proposed in March 2022, and represents an effort by the SEC to help investors make informed investment decisions by providing clearer visibility into each company’s commitment towards cybersecurity and the actions taken to protect their systems, data, and people.
Reporting of Material Cybersecurity Incidents and Periodic Reporting to Provide Updates about Previously Reported Incidents
- Registrants will be required to report a material cybersecurity incident within four (4) business days after determining that the incident is material. This will require companies to establish a cyber incident materiality threshold. The disclosure will need to be reported on Form 8-K and include information about the nature, scope, timing, and impact of the material cyber incident.
- Requirements for updates on previously reported material cybersecurity incidents through the registrant’s 10-Ks and 10-Qs for the period in which the update occurred.
Disclosure of Cybersecurity Risk Management, Strategies, and Governance
- Companies are required to disclose information regarding their cybersecurity policies, procedures, and governance for identifying and managing cybersecurity risks and threats.
- Details that registrants will be required to disclose in Form 10-K (and Form 20-F) include:
- Description of the company’s cybersecurity risk management program.
- If the registrant engages assessors, consultants, auditors, or other third parties in connection with the cybersecurity risk management program.
- How the company manages and oversees their vendors and associated access to data.
- A description of how the company undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents.
- If the company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
- How cybersecurity risks are considered and integrated as part of the company’s business strategy, financial planning, and capital allocation.
- Requirements for disclosure about a registrant’s cybersecurity governance, including the board’s involvement, expertise, and oversight over cybersecurity risk.
- Management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Compliance Dates for Registrants
- Compliance with the incident disclosure requirements begins the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023, and must be reported in Item 1.05 on Form 8-K within 4 business days of the material incident determination.
- Compliance with cyber risk management disclosure requirements will begin with annual reports for fiscal years ending on or after December 15, 2023 (in Form 10-K and Form 20-F).
- Smaller Reporting Companies will have an additional 180 days and must comply with material incident disclosures in Form 8-K on the later of 270 days from the effective date of the rules or June 15, 2024.
What Should Companies Do Now?
- Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
- Adoption of an annual externally performed cybersecurity risk assessment to identify vulnerabilities and weaknesses and a path forward for resolution and mitigation.
- Assess the Board of Director’s current role in cybersecurity risk and threat assessment, and identify if any members qualify as a ‘cyber expert’.
- Develop or refine the incident response plan to include initial and periodic reporting requirements.
- Update and refine the vendor risk management program.
- Create a methodology for determining if a cybersecurity event is considered material to your organization.
- Harden current security configurations or adopt new security measures to reduce the likelihood and impact of threat actors.
- Update SEC disclosure checklists to comply with the new cybersecurity rules.
How Centri Can Help
At Centri, our IT risk and cybersecurity advisory and SEC compliance and financial reporting services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management and SEC compliance aligns with the specific needs of your company.
Rich Sowalsky, CISA
Managing Director | IT Risk & Cybersecurity Practice Leader
Rich is the Managing Director and IT Risk & Cybersecurity Practice Leader at Centri. He has more than 13 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits & accounting. Over the years, Rich has provided a variety of risk advisory and compliance services for clients across various industries, including insurance, healthcare, life sciences, financial services, and higher education.
Karyn DiMassa, CPA, PMP, CISA, CFE
Director | IT Risk & Cybersecurity Practice
Karyn is a Director in the IT Risk & Cybersecurity Practice at Centri. She has over 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. Karyn has provided risk advisory and project management services to various clients throughout several industries, including utilities, manufacturing, pharmaceuticals, life sciences, insurance, financial services, and healthcare.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
For more information, please visit www.CentriConsulting.com
Eight Penn Center
1628 JFK Boulevard, Suite 500
Philadelphia, PA 19103
New York Office
530 Seventh Avenue
New York, NY 10018
50 Milk Street
Boston, MA 02109
Tysons Corner Office
1775 Tysons Blvd
Tysons, VA 22102
8310 South Valley Highway
Englewood, CO 80112
4509 Creedmoor Rd
Raleigh, NC 27612
615 Channelside Drive
Tampa, FL 33602