What is the new SEC Cybersecurity Disclosure Ruling?

The SEC (U.S. Securities and Exchange Commission) has adopted new cybersecurity requirements for SEC-registered publicly traded companies to disclose “material” cybersecurity incidents and risk management processes. The SEC mandate enhances transparency and accountability in financial markets regarding cybersecurity incidents. It will also help better understand the potential impact of cyber threats on operations and financial performance.

Click here to download the checklist, or continue reading for further details on the new SEC cybersecurity regulation!

Who does the SEC Cybersecurity Ruling impact?

The new SEC cybersecurity ruling gives consumers transparency on data breaches and provides prompt notification of cybersecurity incidents. Since cybersecurity and compliance go hand in hand, the SEC’s rule change will affect many different stakeholders:

  • Investors will need visibility on risk levels, security measures, and cybersecurity incidents
  • Key executives will need to evaluate their data security posture management and work alongside finance and legal to prepare their annual filings
  • The boards of directors must add cybersecurity experts to provide oversight
  • Data Security teams will need to strengthen their breach detection and reporting capabilities

Key compliance dates for the SEC Rule

There are specific compliance dates that differ based on the type of disclosure. Smaller reporting companies (“SRCs”) are afforded a more extended compliance period for incident reporting:

  • Disclosure deadlines start for fiscal years ending after December 15, 2023. All registrants must provide disclosures beginning with annual reports for the fiscal year using Form 10-K and Form 20-F cybersecurity disclosures.
  • For material cybersecurity incident disclosure, organizations must comply beginning on Dec 18, 2023, utilizing Form 8-K and 6-K. SRCs have an additional 180 days to comply and must begin complying by June 15, 2024.
  • For the structured data requirements (i.e., Inline XBRL tagging), all registrants (including SRCs) must begin tagging their cybersecurity disclosures in Form 10-K and Form 20-F in Inline XBRL for fiscal years ending on or after December 15, 2024. All registrants (including SRCs) must begin tagging their material cybersecurity incident disclosures in Form 8-K and Form 6-K in Inline XBRL by December 18, 2024.
  • Foreign private issuers must specifically disclose material cybersecurity incidents on Form 6-K and their cybersecurity risk management strategy, and governance on Form 20-F.

How can organizations comply with the new SEC cybersecurity standards?

Organizations must now disclose their risk-management policies and processes on Form 10-K to comply with the regulation requirements. The information needed for Form 10-K includes:

  • Describing and outline the cybersecurity risk program
  • Describing engagement and interactions with third parties
  • Explaining steps taken to prevent, detect, and mitigate cyber incidents
  • Defining strategies to reduce cybersecurity risk
  • Detailing continuity and recovery plan of action if a breach occurs
  • How cybersecurity risk potentially impacts financial health

Organizations must also fill out Form 8-K to report material cybersecurity incidents within four business days. Incident reporting consists of specific events that the SEC cybersecurity rule covers, such as comprised information, malicious attacks, system disruptions, and events that lead to financial loss.

Additionally, the SEC has formalized guidelines for disclosure as it relates to breach reporting. Organizations must:

  1. Disclose the nature of the breach
  2. Describe the type of cybersecurity incident
  3. Provide details on all affected data
  4. Detail the impact on overall operations
  5. Report on the status of remediation efforts

SEC Regulatory Compliance Checklist

SEC Cybersecurity enforcement is in effect – are you in line with the new ruling?

Download the SEC compliance checklist to focus on the areas you need to prioritize for SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, including how to:

  • Understand SEC Cybersecurity requirements
  • Discover, map, label, and flag high-risk and critical business data to detect, prevent, and mitigate risk
  • Analyze breached data and determine the sensitive, personal data sets exposed.
  • Comply with SEC breach notification timelines and requirements according to impacted residencies.
  • Generate breach impact reports for regulators and auditors.

How BigID Helps Organizations Prevent & Respond to Cybersecurity Incidents for SEC Compliance

Any data security strategy is a multifaceted task that involves meticulous planning, implementation, and ongoing monitoring. But it all starts with complete data visibility and control. BigID leverages a data-centric and risk-aware approach to effectively improve data security posture, streamline remediation, ensure compliance, accelerate breach response, and ultimately reduce data risk – at scale. Here are the ways BigID helps organizations prevent and respond to cybersecurity incidents to achieve compliance with the SEC’s new cybersecurity rules and requirements:

Cybersecurity Incident Prevention:

Cybersecurity Incident Response:

  • Analyze breached data and determine the sensitive, personal data sets exposed.
  • Pinpoint whose personal data was affected through BigID’s Identity-Aware mapping technology.
  • Identify where the data originated from to limit the fallout.
  • Comply with breach notification timelines and requirements according to impacted residencies.
  • Generate breach impact reports for regulators and auditors.

Schedule a 1:1 with one of our security experts today to learn more about how we can help you meet SEC compliance!