Dealing With The SEC’s Tight Timeframe For Complying With The New Cybersecurity Disclosure Rules: RoseRyan Insights

The SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” final rules were adopted by the agency on July 26, 2023. These new regulations apply to all types of periodic filers, including domestic registrants, foreign private issuers, smaller reporting companies and emerging growth companies.

If your company falls into one of these categories, your team will have to get up to speed fast to ensure that you’re not falling foul of compliance requirements. Our latest Insights blog by IT and SOX controls specialist and RoseRyan consultant Pankaj Jalan* explores what you need to know about the new SEC rules, and how to come up with a process that you can follow under a time crunch.

What You Need To Know

The most important things to know about these new regulations are:

• Publicly traded companies will only have a short window of time in which to disclose any material cybersecurity incidents: that is, an 8-K filing must take place within four days of an incident occurring.
• These companies will now also need to disclose their cybersecurity risk management, strategy, and governance in their 10-Ks—starting with their annual report for the fiscal year ending on or after December 15, 2023.

This means that affected companies soon need to figure out now how they will comply with the new Securities and Exchange Commission cybersecurity incident reporting rules, and establish a plan for responding quickly when an incident occurs.

Start By Asking the Right Questions

To get the ball rolling in meeting the SEC’s newly-implemented rules, companies must think through the following questions:

• Does your cybersecurity incident response process capture quantitative and qualitative factors to make materiality conclusions?
• Has your organization defined what it considers crown jewels?
• Is senior management—across the organization, not just IT—able to make timely decisions on materiality of cyber incidents? Is training necessary?
• Can your cybersecurity incident response process aggregate materiality of several related incidents?
• Is there a process to ensure the financial reporting team can file 8-K disclosure within four days of materiality determination? Can your cybersecurity incident response process capture incidents reported by your third-party service providers? How can you obtain information from your service providers to draw conclusions on the materiality of their cyber incidents on a timely basis?

When an organization goes into crisis mode, there isn’t time to debate what to do. Your company’s reaction time and response when a material cybersecurity incident occurs will be made more efficient by considering these questions in advance, and thinking through the issues raised in the SEC’s rules. It will also be better prepared to meet SEC compliance requirements in the longer term.

Another thing to consider is, while you will want to be transparent in satisfying these new rules, you also don’t want to build a roadmap that hackers could follow. Input across the organization is critical to assess all the challenges and get this process going—and time is limited.

SEC Cybersecurity Disclosures: Time to Comply Begins Now

If this all sounds like a lot to take in, it is. And the consequences of not being on top of this important topic could be serious.

Outside experts who understand the nuances involved with these requirements and best practices for following them can provide fresh perspective as your company looks to make any improvements or develop appropriate processes.

If your organization needs guidance ticking the right compliance boxes, RoseRyan—a ZRG Partners, LLC company—can help.

To read the full blog visit our Knowledge Hub.

*RoseRyan consultant, Pankaj Jalan is an IT and SOX controls specialist. Previously he was Security and Controls Director at PepsiCo, and he worked at Deloitte for over a decade.

#cybersecurity #sec #securitiesandexchangecommision #cyberscurityincident #cybersecuritymeasures #cybersecurityincidents #riskmanagement #regulations #reporting #controls #controller #8Kfiling #10Kfiling #compliance #SOX #SOXcontrols #IT #ITsecurity #hackers #virtualaccounting #outsourced #ondemand #asandwhen #interim #fractional #fullstack #longterm #finance #accounting #financeandaccounting #solutions #advisors #consultants #consulting #advisoryservices #professionalservices #solutions #siliconvalley #norcal #socal #losangeles #orangecounty #sandiego #sanfrancisco #bayarea #sanfranciscobayarea #sanfernandovalley #sanfernando #newyork #collectiveintelligence #interimfinance #interimfinancesolutions #ondemandservices #ondemandtalent #interimtalent #fractionaltalent #CFO #interimcfo #fractionalcfo #strategy #hr #humanresources #humanresourcesmanagement #recruitment #talent #talentacquisition #talentmanagement #financetalent #accountingtalent #talentgap #lifesciences #lifescience #lifesciencerecruitment #lifesciencesindustry #tech #techindustry #domesticregistrants #foreignprivateissuers #emerginggrowth #emerginggrowthcompanies #earlystage #startups #startup #founders #entrepreneur #entrepreneurs #vcs #investors #innovation #financeteam #accountingservices