New SEC Rules on Cybersecurity Disclosures – Q&A

SEC New Rules 

Effective September 2023, the Securities and Exchange Commission adopted new rules aimed at enhancing and standardizing disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, amendments were adopted to require current disclosure about material cybersecurity incidents. In addition, rules requiring periodic disclosures about an organization’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks were adopted.

Below I answer some of the most common questions my clients came to me with. I hope these clarifications are of help.

Q: Do the new SEC rules/laws apply to my organization?

A: All SEC registrants must comply with the new ruling.

If you are a Publicly Traded Company, Registered Investment Advisors and Broker/Dealers, and/or an Exchanges and Clearing Agency, you are likely to be impacted by the new rulings.

Q: What are the new SEC laws/mandates?

A: There are 3 key elements that apply to most organizations:

1. Material Cybersecurity incidents are required to be disclosed on Form 8-K within 4 business days of their being deemed material.
2. Annual disclosures in Form 10-K of:
• Documented cybersecurity risk management and strategy.
• Description of “the Board’s oversight of risks from cybersecurity threats.”
• Inclusion of “the board of directors’ oversight of cybersecurity risks.”
3. Disclosures must be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

Note: Page 12 of the SEC document outlines additional details

Q: What does this mean in practical terms?

A: In practical terms, you are required to have a documented cybersecurity incident response plan that is part of a comprehensive cybersecurity strategy and plan that illustrates your C-level executives and the Board of Directors are knowledgeable and active participants in them.

Q: What changes do I need to introduce to my organization’s cybersecurity strategy?

A: Be sure to comply with and document that C-level executives and the Board of Directors are active participants in your overall cybersecurity strategy.  It is a best practice to have a Board of Directors committee that annually reviews and signs off on the documented cybersecurity strategy and it is recorded in the Board minutes. This ensures you can produce the necessary artifact if required.

Q: Can the iShift Cybersecurity Platform expedite my organization’s cyber readiness?

A: Yes! With the help of our AI-enabled platform, in as little as one week, we can assess your cybersecurity posture and provide you with a comprehensive cybersecurity plan and strategy tailored to your risk appetite. Don’t wait until Q4 to start thinking about how you will comply.

iShift makes it simple and easy by crafting a Cybersecurity Strategy tailored to identify your organization’s inherent risks, then we build a realistic cybersecurity plan to position your organization at a comfortable residual risk level. 

About Rich

Rich Dussliere is an accomplished cybersecurity expert who heads the Office of the CISO and vCISO services at iShift. Rich relies on his real-world experiences as a cybersecurity practitioner to help organizations address the friction points that emerge within as cyberthreats evolve and cybersecurity challenges gain visibility. His experience spans diverse sectors, including financial services, manufacturing, and healthcare. Follow Rich on LinkedIn or contact him directly at [email protected].

Share this article on: