Understanding the New SEC Cybersecurity Guidelines

The U.S Securities and Exchange Commission, or the SEC, provides guidance on cybersecurity risk management, strategy, governance, and incident disclosure for public companies across industries, including the financial and healthcare industries. In recent years, the SEC has emphasized the importance of disclosing material cybersecurity risks and incidents to investors. Recently new guidelines, which were approved on July 26, 2023, depict a significant increased focus on the SEC’s cybersecurity disclosure requirements. Keep reading to learn more about the latest guidelines and how these will affect your business.

According to SEC Press Release the new final rule requires public companies to disclose any material cybersecurity incidents within four business days of that determination (subject to certain exceptions). Cybersecurity risks are considered material if they have a significant impact on the company’s finances, operation, or customer relations. This new requirement will be added as new Item 1.05 on Form 8-K. In addition to the disclosure requirements, the new rule also includes requirements for public companies to disclose the nature and projected consequences of the breach. On the new Item 1.05 on Form 8-K, companies must describe:

  • The nature, scope and timing of the data breach
  • Impact or projected impact on the company, including its financial condition and results of operations

In addition, companies must now disclose on their Annual Report (10-K) whether the reported data breach has materially affected or is projected to affect their business strategy, including any material changes to their governance, policies, procedures, or technologies. They are also required to disclose if they have a cybersecurity risk assessment program and describe it in detail. Finally, companies must disclose if they engage assessors, consultants, auditors, or other third parties in connection with the business’ cybersecurity risk assessment program.

The last addition is Item 106 of Regulation S-K which requires companies to describe the board’s oversight of risks from cybersecurity threats, including any specific board committee or subcommittee tasked with oversight of cybersecurity risks. The board must be informed about cybersecurity risks and incidents, which includes regular updates from management or the company’s cybersecurity team.

So, what does this mean for your business?

The majority of public companies already have some type of cybersecurity protection, but they may not be in compliance with the new SEC guidelines that require companies to be able to identify and manage material cybersecurity risks and have processes to disclose these risks promptly. This can be hard to manage when a business’ cybersecurity is run by a small or inexperienced internal team. The new SEC guidelines also require board members to actively oversee cyber risk management programs, which requires additional training to understand the company’s cybersecurity risks and the measures to manage them.

Companies must also ensure that their cyber risk management programs are closely integrated with their business strategy and financial planning, which requires closer collaboration between the company’s cybersecurity team, executive management, and the board. A virtual Chief Information or VCISO service can assist with this and more, developing insights and strategies to enhance cybersecurity throughout an organization and guides the organization on their security journey.

Adhere to SEC Guidelines with Entara

As an eXtended Service Provider (XSP), Entara delivers exceptional, security-first IT solutions for your business. Our extensive proactive security services help companies meet compliance standards, and our expert engineers help companies’ roadmap their security journey so that they can both meet compliance standards and support their business goals through their technology solutions. Through our proactive solutions, our goal is to make a security incident a simple support ticket rather than total business down or a severe data compromise.

In addition to our proactive services, Entara also has a mature partner ecosystem that includes digital forensics and incident response (DFIR) firms, breach coaches, and more to provide fast response times in the event of a breach. Our experts at Entara, alongside our partners, are at the ready to respond to your security incident, work to eradicate the threat, and get your company up and running as quickly as possible. Contact us to learn more about how we can support your cyber security needs through offerings such as Entara’s  vCISO advisory services.

Scroll to Top