The SEC's New Cybersecurity Disclosure Rules: A Guide for CFOs
Are you trying to understand the SEC's latest rules on reporting cyber-attacks? Wondering how these rules will affect your role as a CFO and how you can protect your company's money and information from hackers?
In this article, we'll give you a straightforward overview of the SEC's new requirements for reporting cyber-attacks. Intelligent Technical Solutions (ITS) has over 20 years of experience in helping companies meet government regulations, and we're here to explain what these changes mean for you.
That's why we asked Sean Harris, ITS’ Senior VP for Cybersecurity, to answer questions like:
- What are the new SEC Disclosure rules and requirements?
- Why are these rules important?
- How can you follow these rules and use them to help your company?
We'll guide you through what you need to do to quickly report cyber-attacks and how to include cybersecurity in your company's financial planning. Our goal is to help you follow the new rules and keep your company safe.
What are the new SEC disclosure requirements?
As hackers get smarter, the SEC now requires companies and international groups to report any cyber-attacks they face immediately.
“I know that there are many companies that have breaches, but they would prefer not to let anybody know due to fear of reputational damage,” Harris said.
To combat this, the SEC demanded yearly cyber security reports from companies, highlighting key actions like:
1. Prompt incident disclosure
Companies must report significant cyber-attacks within four days using Form 8-K, detailing the following:
- What happened
- The scope of the attack
- When it happened, and
- How it might affect the company
2. Comprehensive annual reporting
Companies must explain how they identify and manage cyber risks, including how their leaders oversee these risks. This information is part of the yearly 10-K report.
3. Global compliance for foreign private issuers
The same reporting rules apply to international companies working in the US (but using Forms 6-K and 20-F), emphasizing the worldwide importance of cybersecurity.
4. Strict deadlines and data requirements
There are specific deadlines for these reports. For example, the yearly security report is due after December 15, 2023. Smaller reporting companies have an additional 180 days before Form 8-K disclosure is required.
Companies will also need to use a special format called Inline XBRL for their reports, which will make the data easy to analyze.
5. Structured data for enhanced transparency
Companies will eventually need to use Inline XBRL to make their reports consistent and easily accessible, showing the SEC's focus on clear and comparable information.
What are the implications of these new requirements?
These rules mark a significant shift towards treating cybersecurity as an essential part of running a company.
“And it’s critical to get people to actually disclose what's happening,” Harris adds.
For chief financial officers (CFOs), this means actively participating in cybersecurity strategy discussions, ensuring that investments in security align with corporate financial goals, and developing mechanisms for rapid response and disclosure of incidents.
But it's more than just legal compliance.
The SEC's comparison of cyber incidents to major physical damage highlights the serious financial risks they pose. This requires a strategic approach to cybersecurity that fits within the company's overall financial planning.
How can you comply with SEC disclosure requirements?
Complying with the SEC's cybersecurity disclosure requirements involves multiple moving parts - just submitting forms isn’t enough. Here are some steps to get you started:
1. Evaluate your current cybersecurity.
Assess your organization's current cybersecurity measures against the SEC's requirements. This includes evaluating incident detection, response capabilities, and governance structures.
“There's an old adage that my professor would say,” Harris said, “he did the whole circle where this is the knowledge you know, this is knowledge you don't know, and then he’d show this whole extra area outside of the whole circle that says this is the knowledge that you don't know - that you don't know.”
So, getting a third party to assess your network and help you with compliance is crucial to ensuring you don’t make mistakes.
“A third-party IT organization might be able to point out things that you would never even think of,” Harris explained.
2. Strengthen cross-departmental collaboration.
Work closely with IT, legal, and compliance departments to ensure a cohesive cybersecurity risk management and disclosure approach. Ensure clearly defined responsibilities, clarifying who is responsible for which forms and tasks.
3. Prioritize transparency and stakeholder communication.
Develop clear communication strategies for disclosing cybersecurity incidents to investors, regulators, and other stakeholders, minimizing potential financial and reputational damage.
4. Practice disclosures for strategic insights.
Use the process of preparing disclosures as an opportunity to gain deeper insights into your company's cybersecurity risks and the effectiveness of current management strategies.
Ready to comply with SEC disclosure requirements?
In facing the SEC's new cybersecurity disclosure mandates, CFOs are at a crossroads. These regulations, while challenging, open the door to transforming how your organization approaches cybersecurity.
It's not just about meeting a legal requirement; it's an opportunity to lead your company to a stronger, more secure future.
By integrating cybersecurity measures into the fabric of your financial strategies and operations, you position your organization not just to withstand potential cyber threats - but to emerge as a leader in your industry for trust and reliability.
So, start by reassessing your current cybersecurity framework. Collaboration is key; engage with IT and cybersecurity professionals to ensure your strategies are up to the task.
As a company with years of experience helping businesses with complex regulatory needs, we’ve created a FREE cybersecurity assessment to get you started.
But if you want to focus on seeking training and resources for cybersecurity best practices, check out the following resources: