• Back
  • Home
  • insights
  • new-sec-cybersecurity-guidelines-next-steps-for-public-companies
08/10/2023

New SEC cybersecurity guidelines: Next steps for public companies

Tech logos illustrating cybersecurity

The Securities and Exchange Commission (SEC) recently released new guidelines for public companies on cybersecurity practices and disclosure requirements, representing a significant shift in the regulatory landscape. Here, we highlight key changes and provide essential action steps for public companies.

What are the key changes?

  • Fast reporting: Businesses must disclose cybersecurity incidents within four days of determining materiality. (The definition of materiality is built around a “reasonable investor” construct and remains open to interpretation.)
  • Annual disclosure: Form 10-K disclosures must encompass comprehensive insights into cybersecurity risk management, strategies, posture, and processes for assessing incident materiality.
  • Governance under scrutiny: Cybersecurity governance will face rigorous scrutiny, mandating an intricate outline of board and management oversight, discussion frequency, and the formality of this process.

Access full details at SEC.gov.

What do companies need to do?

Under these new regulations, companies must elevate their cybersecurity practices by crafting effective strategies for incident reporting, regulatory disclosures, risk management, and board-level governance. To adapt to these changes and help ensure regulatory compliance, businesses should consider the following action steps.

  • Fortify incident response. Perfect your plans for swift identification of threats and incidents, thorough materiality evaluation, and timely reporting. Conduct regular tabletop exercises to strengthen real-world crisis preparedness.
  • Establish a cybersecurity committee at the board level. While not explicitly required by these new guidelines, forming a cybersecurity committee or naming a cyber-capable member to the risk committee demonstrates your recognition that cybersecurity is a uniquely pervasive risk that obligates board supervision, and helps instill confidence among investors and other stakeholders. (Read more about the importance of adding cyber expertise to your board.)
  • Exercise diligence in drafting. Publicly traded companies should approach their security strategy holistically and collaborate with their reporting group and lawyers skilled in cyber and securities practices. Cybersecurity disclosures will need to be crafted meticulously, as they will be exposed as public information. Engage securities lawyers to comprehend the legal implications and requirements from a securities law perspective, as cybersecurity disclosures now intersect with the purview of securities filings.
  • Seek objective validation. In addition to engaging independent cyber contractors or consultants, boards of publicly traded companies should obtain an independent annual assessment of their company’s cybersecurity posture. Such an assessment will furnish factual evidence supporting Form 10-K disclosures, reinforcing the organization's cybersecurity preparedness and resilience. Once again, independence is key; using the same consultants that management might is not recommended.
  • Mind the clock. Time is of the essence: The rules are expected to go into effect in December.  Most publicly traded companies will have to comply with Form 10-K and Form 20-F disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023, and the Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023, the SEC states. Smaller reporting companies will have an additional 180 days to start providing the Form 8-K disclosure (anticipated June 2024).

Contact our cybersecurity team for support in identifying your company’s needs and navigating these protocols confidently.

Contact

Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Scott Corzine, Managing Director, Cybersecurity, Technology Risk, and Privacy

703.744.8541

Subject matter expertise

  • Bhavesh Vadhani
    Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    Go to Bio
  • scott corzine
    Contact Scott Scott+Corzine scott.corzine@cohnreznick.com
    Scott Corzine

    Managing Director, Cybersecurity, Technology Risk and Privacy

    Go to Bio
    • Close

    Contact

    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.