SEC Public Company Cybersecurity Rules
New SEC rules will require prompt disclosure of incidents, clear reporting on cyber risk management policies and procedures, and deeper board-level involvement.
In July 2023, the US Securities and Exchange Commission (SEC) issued a new set of cybersecurity disclosure rules pertaining to public companies in the United States. These rules are meant to help investors make decisions about where to invest by providing more information about how seriously an organization takes cybersecurity risks.
Companies that can share details on their process for tracking cyber risk—such as how they create and track cyber risk scores over time, while creating a repeatable, straightforward process for reporting to and engaging their board of directors on cybersecurity risk—stand to differentiate themselves in the eyes of investors.
The SEC seeks to thread a needle between organizations providing enough data to inform investors while not “increasing a company’s vulnerability to cyberattack … to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.”
The Federal Register shows the rules took effect September 5, 2023.
Offering
Key new SEC cybersecurity rules
New Form 8-K Item 1.05
New Regulation S-K Item 106(b)
Cybersecurity disclosures
New Regulation S-K Item 106(c)
How To Prepare
Review new rules with security leads, as well as audit and finance teams who manage filings, to create a process to meet the four-day deadline in the case of a material event.
Ensure your company has a strong grasp on how to determine when a cybersecurity event meets the threshold of being “material.”
Security leaders must draft their description of the process for understanding and assessing cyber risk. This may include cyber risk tools, the risks those tools address (e.g., external attack surface or risk of data loss) and the processes their teams follow to mitigate identified risks.
Leaders across security and audit must work with the board of directors to create a process, if one is not already in place, for how the board will plan to oversee cyber risk. This may include making cybersecurity a permanent topic in QBRs to review risk scores, key drivers of risk, mitigation actions, and needed investments.
Security leaders must identify and interview board members with cybersecurity expertise to capture and share in annual and proxy filings.
Zscaler Risk360
Risk360: How Zscaler thinks about cyber risk
Zscaler Risk360™ is a comprehensive and actionable risk framework that delivers powerful cyber risk quantification by ingesting real data from an organization’s Zscaler environment. Risk360 offers intuitive visualizations, financial exposure detail, and board-ready reporting, along with detailed, actionable security risk insights to immediately use for mitigation.
Risk360 measures cyber risk across key areas of the attack chain:
External attack surface
Compromise
Lateral movement
Data loss/exfiltration risk
Risk360
Take the next step
Let our experts show you how Zscaler Risk360 minimizes your organization's attack surface, prevents lateral movement, and negates the risk of data loss.