SEC Public Company Cybersecurity Rules
New SEC rules will require prompt disclosure of incidents, clear reporting on cyber risk management policies and procedures, and deeper board-level involvement.
In July 2023, the US Securities and Exchange Commission (SEC) issued a new set of cybersecurity disclosure rules pertaining to public companies in the United States. These rules are meant to help investors make decisions about where to invest by providing more information about how seriously an organization takes cybersecurity risks.
Companies that can share details on their process for tracking cyber risk—such as how they create and track cyber risk scores over time, while creating a repeatable, straightforward process for reporting to and engaging their board of directors on cybersecurity risk—stand to differentiate themselves in the eyes of investors.
The SEC seeks to thread a needle between organizations providing enough data to inform investors while not “increasing a company’s vulnerability to cyberattack … to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.”
The Federal Register shows the rules took effect September 5, 2023.
Disclosure of the details of material cybersecurity incidents within four business days of such determination.
Provide a description of the “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats…”
To be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
Provide a description of the board of directors’ oversight of cybersecurity risk and their role and expertise in assessing and managing material risks from cybersecurity threats.
Review new rules with security leads, as well as audit and finance teams who manage filings, to create a process to meet the four-day deadline in the case of a material event.
Ensure your company has a strong grasp on how to determine when a cybersecurity event meets the threshold of being “material.”
Security leaders must draft their description of the process for understanding and assessing cyber risk. This may include cyber risk tools, the risks those tools address (e.g., external attack surface or risk of data loss) and the processes their teams follow to mitigate identified risks.
Leaders across security and audit must work with the board of directors to create a process, if one is not already in place, for how the board will plan to oversee cyber risk. This may include making cybersecurity a permanent topic in QBRs to review risk scores, key drivers of risk, mitigation actions, and needed investments.
Security leaders must identify and interview board members with cybersecurity expertise to capture and share in annual and proxy filings.
Risk360 measures cyber risk across key areas of the attack chain:
See the risk of attackers finding and exploiting attack surface weaknesses with an examination of discoverable variables.
Understand and mitigate risk by looking at a broad range of events, security configurations, and traffic flow attributes to compute the likelihood of a compromise.
See the company’s risk of lateral threat propagation by examining a range of private access settings and metrics.
Analyze and limit the risk of attackers exfiltrating data.
RIsk360
Take the next step
Let our experts show you how Zscaler Risk360 minimizes your organization's attack surface, prevents lateral movement, and negates the risk of data loss.