New rules from the Securities and Exchange Commission (SEC) have changed how public companies report cybersecurity incidents and risks in the USA. These rules aim to simplify things and protect investors from cyber attacks.

To navigate the new rules as a company, it’s essential to grasp the implications of these new requirements fully. This understanding will help you get ahead of the curve and comply accordingly.

The outcome of this post is to learn how to navigate the SEC’s new rules and ensure compliance.

How to navigate SEC’s new rules and compliance

Recent regulatory updates mean that both public companies must openly share details about their cybersecurity practices, risk management strategies, governance processes, and incidents. Private companies should adopt these best practices as well.

Three ways to make the disclosures

  1. Report incidents: If a company experiences a cybersecurity incident, it must disclose it on Form 8-K . When sharing information about the incident, companies must provide details on what occurred, the scale of the incident, and its timing. Furthermore, they should explain the potential impact on their financial condition and operations. This disclosure should be part of their official filing, and it’s essential to include all available information at that time.
  2. Disclosing cybersecurity annually: Companies must include yearly cybersecurity disclosures in their Form 10-K or Form 20-F filings. These disclosures should summarise the company’s cybersecurity risk management, approach, methods, and governance structure.
  3. Tagging cybersecurity disclosures: This intends to enhance the accessibility and usability of cybersecurity information for investors and regulators. Companies need to tag their cybersecurity disclosures in Inline XBRL, a structured data format that makes analysis by machines easier.

The CFO’s role in SEC cyber disclosures

CFOs are working to follow the SEC’s recent cybersecurity rules, making sure to report important incidents and share insights about managing cyber risks. It’s a balance between following the rules and working together with others, such as general counsel and CIOs.

According to the rules, companies should share detailed plans for cybersecurity threats. This should be done annually in a 10-K filing and promptly inform everyone about essential incidents on Form 8-K.

How can my business comply?

  • Step 1: Make your cybersecurity leadership stronger: Set up a straightforward way of overseeing cybersecurity in your organisation. Make sure everyone knows their role in managing cybersecurity, and make it a part of how you handle risks overall.
  • Step 2: Build a strong defence against cyber threats: Create a solid cybersecurity plan that covers assessing risks, responding to incidents, and monitoring things regularly. Make sure to update your cybersecurity rules often to stay ahead of new threats.
  • Step 3: Improve how you detect and respond to cybersecurity issues: Invest in good tools and tech to quickly spot and handle cybersecurity problems. Make clear plans for what to do if an issue arises, and teach your employees how to handle these situations.
  • Step 4: Keep good records of your cybersecurity actions: Maintain detailed notes on managing cybersecurity risks, plans, and issues. This record-keeping is crucial to ensure compliance with the SEC’s new rules, disclosing information accurately and on time.

Need help?