Background
The Securities and Exchange Commission (SEC) is intensifying its focus on cybersecurity for publicly traded companies by finalizing new rules that mandate the disclosure of material cybersecurity incidents through Form 8-K. These rules also require periodic reporting on a company’s cybersecurity risk management, strategy, and governance in annual filings. This move, in my view, strengthens and standardizes cybersecurity controls while also reducing inaccuracies in financial reporting within a company’s information systems.
Understanding the SEC Rule
What Does This Mean for Publicly Traded Companies?
Before interpreting the final rule, it’s important to acknowledge the SEC’s ongoing commitment to enforcing cybersecurity risk and control measures for publicly traded companies. Since 2011, the SEC’s Division of Corporation Finance has issued guidance on companies’ disclosure obligations related to cybersecurity. In 2018, the Commission further clarified the responsibility of public companies to notify their investors and the market promptly about significant cybersecurity risks and incidents. Given this history, companies should not be surprised by the Commission’s direction regarding cybersecurity risk and controls management.
Key Elements of the Final Rule
In their periodic disclosures, publicly traded companies must:
Report material cybersecurity incidents within four business days after determining the incident’s materiality.
Detail processes for identifying, assessing, and managing cybersecurity risks, particularly those that could significantly impact the company’s business strategy, operations, or financial condition.
Disclose cybersecurity governance practices, including how the board oversees cybersecurity risks and how management monitors, detects, mitigates, and remediates cybersecurity threats.
In analyzing this final rule, it aligns well with other incident reporting regulations and enhances a company’s ability to manage cybersecurity risks while preventing errors in financial statements. Importantly, the rule aims to maintain investor confidence by avoiding the need for financial restatements.
Moving Forward
Companies should not view these SEC requirements as an additional burden. Instead, they represent an opportunity to improve risk and control processes, bolster investor confidence, and potentially gain a competitive edge. Here are my recommendations for meeting these requirements:
Align cybersecurity with business objectives: Cybersecurity programs should be integrated with overall business strategies. Often, cybersecurity efforts are siloed from business goals, leading to gaps in oversight and awareness of emerging threats.
Include cybersecurity leadership in boardroom discussions: The SEC expects the Board of Directors to be well-informed about cybersecurity matters. To achieve this, Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) should regularly engage with the board to discuss information security and risk management.
Establish strong governance and compliance programs: Compliance with SEC rules and other federal mandates requires an effective governance program. A comprehensive compliance framework is essential for meeting regulatory requirements.
Implement industry-standard cybersecurity controls: Companies should develop and implement cybersecurity controls based on widely accepted frameworks like the NIST Cybersecurity Framework, the NIST 800 series, or ISO standards. Risk management strategies should be clearly defined, disseminated throughout the organization, and paired with robust incident response procedures. Regular testing of these controls is crucial, with any gaps identified and addressed promptly.
Ensure tight integration between Internal Audit and Cybersecurity teams: This collaboration helps ensure that governance, risk, and compliance processes are consistently implemented, controls are regularly tested, and any issues are remediated in a timely manner.
By following these guidelines, publicly traded companies can not only comply with SEC requirements but also enhance their overall cybersecurity posture, ultimately safeguarding both their assets and investor trust.