The Securities and Exchange Commission (SEC) has recently introduced new cyber rules that require organizations to disclose material cybersecurity incidents and provide information on their cybersecurity risk management strategies. These rules aim to ensure consistent and decision-useful disclosures regarding an organization's exposure to cybersecurity risks and incidents.
We have reviewed the rules in a prior post, but for review, the SEC requires the following:
- Current reporting about material cybersecurity incidents on Form 8-K;
- Periodic disclosures regarding, among other things:
- A registrant’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents;
- Cybersecurity disclosures must be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
Timing
We must all be aware of the timing deadlines. By December 15, companies are required to begin disclosures of any cybersecurity incidents determined to be material within four business days on Form 8-K. Additionally, annual reports from December 15 onward should include descriptions of processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the board of directors' oversight of such risks.
Initial thoughts on compliance
We suggest you gather your team, as noted below, to ensure you have discussed or refined your process for these new compliance requirements. As food for thought, we have gathered the below steps to initiate further discussions internally:
- Rally your team for cyber filings: Gather your existing cross-functional team, consisting of CISO/security teams, finance, legal, and audit professionals. This team (hopefully already assembled for current compliance) will play a crucial role in assessing, identifying, and managing cybersecurity risks, ensuring compliance with the new rules. Importantly, this team will have the critical role of determining what a material cybersecurity incident is that would require disclosure.
- Gain resolution on what is "material": Work closely with your team to clearly define what constitutes a "material" cybersecurity incident for your organization. This can be challenging, as the idea of materiality is not always clear cut, so consider a process to rely on after any considerable cyber incident in order to make a determination. This will ensure the appropriate level of disclosure required under the new rules.
- Move toward a cyber risk score and description: We are now asked in S-K Item(s) 106 (b) to describe “policies and procedures to identify and manage cybersecurity risks.” Implement a cyber risk quantification process to assess and manage cybersecurity risks effectively. This process should provide a clear risk scoring mechanism and a comprehensive description of the organization's cyber risk management strategies.
- Start board reporting on cyber risk now: Initiate regular reporting on cyber risk to the board by making it a permanent agenda item. This will ensure that the board is actively involved in overseeing cybersecurity risks and can provide valuable insights for annual filings.
- Capture board expertise for next filing: Have a security leader engage the board to capture their expertise in the preparation of the next annual filing. The SEC tells us we must share “management’s role and expertise in assessing and managing cybersecurity risk.”
Compliance with the SEC's new cyber rules is crucial for organizations to protect themselves and their stakeholders from cybersecurity- and compliance-related risks. By considering these five steps, organizations can begin to navigate the regulatory landscape effectively and ensure they meet the requirements for disclosure and risk management. Naturally, this blog is not meant to be legal advice, however, we hope you find it useful in considering your compliance moving forward.
As organizations digest the new SEC cyber rules and consider how to best move forward with cyber risk management, we have introduced Risk360™, our data-driven product for managing cybersecurity risk. Risk360 is a comprehensive risk framework for powerful cyber risk quantification that ingests real data from an organization’s Zscaler environment. Risk360 offers intuitive risk visualizations, risk mapped to stages of an attack, financial exposure detail, and board-ready reporting, along with detailed, actionable security risk insights to immediately use for mitigation.
For more information, listen to our webinar on the topic of SEC cyber compliance considerations led by our CISO, Deepen Desai, joined by a legal expert from Wilson Sonsini, and the deputy CISO of ServiceNow.
We also encourage customers to ask their account teams for a demo to see how Risk360 can help ease new compliance efforts required by the SEC. It will help teams seeking to describe and quantify policies and procedures to identify and manage cybersecurity risk and streamline efforts needed to allow the board to oversee cybersecurity risk