What You Need to Know About the SEC’s Cybersecurity Regulations

As an organization specializing in risk management, we’ve seen the devastating consequences of cyber-attacks. Readiness and the ability to minimize the consequences of the inevitable event are keys to survival. From day one, Axio’s vision was to solve cyber risk by ensuring that the impact of successful attacks would never end an organization’s existence, let alone impact it more substantially than any other known and managed risk.

Cyber risk understanding and spending on security controls increasingly go hand in hand now, yet the connection wasn’t always apparent before. Board and C-Level executives were typically left in the dark about the financial impact of potential cyber events, and cybersecurity was positioned as a technical problem for technical stakeholders.

Not anymore.

While we fully recognize that many folks shudder at the mention of increased regulation, we know first-hand from our collaboration with thousands of organizations over the past few years that the Securities and Exchange Commission’s proposed new cybersecurity regulations can significantly and positively impact publicly traded companies and organizations in the financial sector.

Now’s the time to understand the new regulations and take steps to ensure you are ready when compliance becomes necessary. Below we summarize what you need to know.

The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives organizations approximately five months to confirm compliance plans before the new disclosure requirements take effect in mid-December. 

In brief, the disclosure requirements can be broken into 3 Pillars:

Cyber incident reporting

• Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination.
• Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant. To the extent required information is not determined or is unavailable at the time of the filing, the 8-K should include disclosure of this fact, and the 8-K should be later amended when the information is determined or becomes available.
• Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors

Cyber risk management and strategy

• Describe the company’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including:
  • whether cybersecurity is part of the overall risk management program, engages consultants, auditors or other third parties, and processes to oversee and identify risks from use of third-parties.
  • whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant’s business strategy, results of operations, or financial condition.

Cyber governance

Describe the company’s governance of cybersecurity risks as it relates to:

• The board’s oversight of cybersecurity risk, including identification of any board committee or subcommittee responsible for oversight and the process by which they are informed about cyber risks.
• Management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures and strategies.
• Specific disclosure of any management positions or committees responsible for assessing and managing cyber risks, including discussion of their relevant expertise.

Who is affected by the SEC cybersecurity regulations?

The impact of these proposed regulations will be felt by multiple stakeholders. This isn’t just a cybersecurity issue that can be dealt with in a technical manner but a wide-reaching paradigm shift for the entire business community.

So, what will change?

• Investors- will be able to make more prudent decisions on capital allocation during their due diligence process.
• Boards of Directors- will demand easy-to-understand cybersecurity reporting.
• C-level Executives- will treat cybersecurity as a business operational risk, giving the CISO not only a seat at the table but an opportunity to showcase how their decisions affect the entire enterprise.
• Security teams- will be scrutinized closely and will have to strengthen their risk assessment and reporting of improvements.

What you can do now to prepare for SEC’s cybersecurity regulations

Invest in a risk management platform

Axio was formed on the basis that cybersecurity is a problem that should be understood and managed from both a business and financial standpoint. Companies can better protect themselves and their clients from cyber threats by taking proactive measures to comply with these regulations. . We strongly encourage all companies to take cybersecurity seriously and to invest in proactive risk management measures. Cyber threats will only become more sophisticated and more prevalent in the years to come, and companies that fail to take these threats seriously are putting their clients and their reputation at risk.

Include cyber risk quantification as part of your cybersecurity strategy

When new threats and vulnerabilities are made public, security leaders can use cyber risk quantification to model the potential impact (or lack thereof) within their organization and more effectively determine whether to take mitigating actions should. The notion of impact is what enables risk reduction. This new language of cybersecurity has already been praised by insurers who would ultimately like to ensure more sustainable and appropriate cyber insurance coverage.

Empower board members with cyber risk knowledge and reporting

Boards should be talking with management to ensure clarity on new reporting requirements for incidents and cyber risk mitigation governance. All directors should seek to understand and mitigate cyber risk by leveraging expert advice from experienced risk management professionals. External advisors can evaluate the board’s expertise and recommend additional training for the full board or designated cyber experts.

Work with a cyber resilience expert

If you are unsure about how to best protect your company’s data and systems, consider working with a trusted cybersecurity expert who can help you assess your risks and develop a comprehensive security plan.

Ultimately, cybersecurity is a team effort. It requires collaboration between IT, legal, compliance, and other stakeholders to develop a comprehensive security strategy that addresses your business’s unique risks and needs. By working together and staying vigilant, we can help protect you from the growing threat of cyber-attacks.

Published on April 18, 2023, updated on August 24, 2023