How to Prepare for New SEC Cybersecurity Disclosure Requirements


Security incidents are a fact of business life today, but an organization’s incident response and its handling of disclosures can make a big difference.

Many organizations used to hit the mute button whenever discussions about cybersecurity came up, but this silence has been breaking more frequently as more businesses are victimized by hackers and experience effects that hit their bottom line in ways that require them to share the information with regulators. However, the Securities and Exchange Commission’s regulations will soon undergo changes that will introduce new guidelines for how to convey the security position at the majority of businesses.

The SEC published a proposal in early 2022 to change its cybersecurity regulations, outlining new procedures for reporting and disclosing security incidents. The proposal from the SEC may seem like yet another regulatory burden to some organizations, despite the SEC’s claims that it wants to better inform investors about organizations’ risk management plans and cyber governance.

Also Read: Best Strategies to Respond to Cybersecurity Breaches

It is easier to comprehend the proposal if it is divided into the three main areas it addresses:

Governance: The regulations demand that organizations invest transparently and give cybersecurity a high priority among their other business functions. In order for investors to make their own judgments about the importance of cybersecurity within the organization and the board’s capacity to advise the CIO, CISO, and other security stakeholders, it is necessary to disclose the cybersecurity expertise of the board of directors.

Risk management: Investors do not currently have a standard by which to measure cyber risk when assessing whether to invest in a company, so the requirement to report cybersecurity risk strategy and governance can benefit businesses that have robust cyber risk management policies and procedures. Companies that are falling behind would be wise to invest in enhancing their cyber risk management strategy.

Cybersecurity Incidents: In accordance with the new regulations, organizations must notify the SEC of cybersecurity incidents that have a material impact on their operating results and provide updates on prior incidents. Reporting a hack can put a company’s reputation, stock price, and other things at risk, but how it’s handled can also improve those things. This requirement is not too onerous because many incidents are currently reported even when the organization wants to keep them quiet. However, it becomes a proactive task that businesses should invest in to make sure their disclosure strategy is prepared just in case.

Also Read: Ways to design and implement IoT-centric cybersecurity posture

To ensure that the company is ready for the new requirements or is prepared before the upcoming quarterly report, follow these simple steps:

  • Assess cybersecurity’s priority: The new requirements are meant to give investors an idea of where cybersecurity lands in the to-do list of an organization. Examining the board’s composition to determine where cybersecurity expertise stands or whether any preparations for the new requirements are necessary. Investing in that knowledge also increases the organization’s resilience, which is another way it adds value.
  • Assess risk management approach: Find out what cybersecurity policies and procedures guide workflows because it’s not only good for reducing risk but showing continuous improvement will become a metric investor will want to see. The existence of cybersecurity policies and procedures and evidence that efforts are being made to reduce risk serve as indicators of how important cybersecurity is to an organization.
  • Assess incident response program: As the trope goes: there are two types of organizations—those that have been hacked and those that don’t know it yet. In light of this, businesses can spend money creating a proactive incident response program. The pressure of crisis management can be reduced by having a plan with playbooks for various scenarios and disclosure statements prepared. Doing this before the SEC requirement will also help the organization react more effectively when an incident does occur.
  • Establish a level of confidence: One of the SEC’s proposed rules’ key components is the ability to gauge how well a company’s risk management, incident response, and overall governance practices are working. A better proof point for investors than written policies or incident workbooks is an investment in tools and solutions that can provide some assurance of a level of risk management execution.

Security incidents still happen in business today, but how an organization responds to them and handles disclosures can make all the difference. The new SEC regulations are putting in writing what many public and private companies ought to have been doing all along.

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.