In a world where cybersecurity threats are steadily escalating, the U.S. Securities and Exchange Commission (SEC) has raised the bar on transparency and investor protection. The SEC’s newly adopted rules make it mandatory for publicly traded companies to disclose material cyber incidents. This development integrates cybersecurity as a pivotal aspect of corporate governance, demanding heightened responsibility from both boards and management teams. As companies grapple with these stringent regulations, SISA Information Security (SISA) is committed to assisting in navigating this challenging landscape, leveraging our extensive experience and industry expertise.

Understanding Roles and Responsibilities under the New SEC Regulations

The new SEC rules represent a shift in corporate accountability. They require a holistic understanding of the cybersecurity landscape and necessitate proactive management of potential threats.

• Board’s Oversight of Cybersecurity Risks: SISA aids boards in developing a robust cybersecurity strategy that aligns with business objectives. Through our advisory services, we ensure a thorough understanding of the cybersecurity risk landscape, aiding in defining risk tolerance. Our services extend to regular risk assessments, including external audits and penetration tests, to evaluate the efficacy of cybersecurity measures. We also provide regular briefings to inform the board about the cybersecurity strategy implementation, emerging threats, and any incidents.

• Management’s Handling of Cybersecurity Risks: SISA supports management teams in crafting and executing an effective cybersecurity strategy. Our range of services includes risk assessments, identification of vulnerabilities, and advising on suitable cybersecurity technologies. We also help develop robust incident response plans and provide training to prepare your company for potential cyber incidents.

Fulfilling Regulatory Requirements

Under the new rules, publicly traded companies must disclose any material cybersecurity incident on the newly introduced Item 1.05 of Form 8-K. This disclosure needs to describe the incident’s nature, scope, timing, and material or reasonably likely material impact on the company. It must be filed within four business days after determining the incident’s materiality. However, this disclosure can be delayed if the U.S. Attorney General determines that immediate disclosure would risk national security or public safety.

Furthermore, the rules add Regulation S-K Item 106, requiring companies to outline their processes for assessing, identifying, and managing material risks from cybersecurity threats. Companies must disclose any material effects or reasonably likely material effects of risks from cybersecurity threats and previous incidents. This requirement describes the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in handling such risks. These disclosures will be required in a company’s annual report on Form 10-K.

Given these comprehensive and technical requirements, meeting the new regulations might seem overwhelming. With its deep cybersecurity and regulatory compliance understanding, SISA can guide your company through this process. We can assist in accurately determining an incident’s materiality, gather the necessary information, and prepare Form 8-K to meet the SEC’s reporting requirements.

In conclusion, the new SEC rules mark a significant shift in corporate governance and cybersecurity, demanding more from companies but offering the opportunity to enhance their cybersecurity posture. With SISA as your partner, you can navigate these changes with confidence. We are committed to helping you strengthen your cybersecurity defenses and maintain compliance, enabling your company to stay ahead in this ever-evolving landscape, adhering to transparency standards, and fortifying stakeholder trust.