The Definitive Guide to Mandated SEC 10-K Cybersecurity Disclosures

As of December 18, 2023, the Securities and Exchange Commission (SEC) has implemented new rules regarding cybersecurity disclosure requirements, impacting all public companies. This comprehensive guide explores the mandated SEC 10-K cybersecurity disclosures, delving into their implications for annual reporting, essential elements to include in the 2023 financial results, and the crucial steps to ensure accuracy and consistency in your company's disclosures.

Covered Companies

The SEC rules apply to all publicly traded companies with a class of equity securities listed on a U.S. stock exchange, including foreign companies listed on U.S. exchanges. Private companies, however, are exempt from SEC jurisdiction, as they are not required to file annual reports with the Commission.

The Final SEC 10-K Cybersecurity Disclosures

The purpose of the new SEC 10-K cyber disclosure rules is to inform shareholders about material information relevant to investment decisions, without divulging sensitive security details. The final rules focus on processes rather than policies and procedures, emphasizing 'material' risks and not all risk types.

Action: Create a section under Item 1 and label it Cyber Risk Program.
Action: Create a section under Items 1 and label it Cyber Risk Governance.

Action: Create a section under Items 1 and label it Cyber Risk Manager(s).

Download Playbook

To comply with the SEC cybersecurity rules, companies must address specific disclosure requirements in their annual reports.

Disclosure Requirement 1: Cybersecurity Risk Management Program

  • Confirm if your company has a cybersecurity risk management program.
  • Describe the program in 2-3 sentences.
  • Explain how material cyber risks are managed and integrated into overall risk management.

Disclosure Requirement 2: Engagement of Third Parties

  • State whether your company engages third parties in its cyber risk management program.
  • Provide a brief description in 2-3 sentences.

Disclosure Requirement 3: Third-Party Cyber Risk Oversight

  • Confirm if your company has a process to oversee and identify cybersecurity risks associated with third-party service providers.
  • Describe the process in 2-3 sentences.

Disclosure Requirement 4: Material Risks or Incidents

  • Disclose material cybersecurity-related risks or incidents that have affected or are reasonably likely to affect the company's results of operations or financial condition.

The following are NOT mandated requirements:

  • The company’s cyber risk management policies and procedures
  • The company’s incident management policies and process
  • The company’s BCP/DR policies and process in the event of an incident
  • The company’s corrective actions as a result of previous incidents

Cyber Risk Governance Disclosure Rules

Disclosure Requirement 5: Board of Directors Oversight

  • State whether the Board or a Board committee oversees cybersecurity risks.
  • Describe the program and how the Board considers cyber risks in 2-3 sentences.

Disclosure Requirement 6: Reporting to the Board of Directors

  • Explain the process by which the Board is informed about cybersecurity risks.
  • Discuss the process of escalation and the Board's awareness of material cyber incidents.

Role of Management in Cyber Risk Disclosure Rules

Disclosure Requirement 7: Managing and Monitoring Cyber Risks

  • Identify whether management or committees are responsible for measuring and managing cybersecurity risk.
  • Describe the prevention, mitigation, detection, and remediation of cyber incidents.
  • Highlight the expertise and training of responsible individuals.

Disclosure Requirement 8: Cyber Risk Manager or Personnel

  • Specify if the company has a designated chief information security officer or equivalent.
  • Describe their roles, responsibilities, and relevant expertise.

Disclosure Requirement 9: Reporting to the Board of Directors

  • Detail how frequently responsible individuals or committees report to the Board on cybersecurity risk.

Public companies now face new cybersecurity reporting requirements, necessitating the disclosure of cybersecurity risk management programs, processes, and updates on significant cyber events. Adhering to the SEC's mandated disclosures ensures transparency and accountability, providing shareholders with valuable insights into a company's approach to cybersecurity risk. Conducting thorough audits or assurance processes is vital to guarantee the accuracy and consistency of these disclosures in annual reports to shareholders. As cyber threats continue to evolve, staying compliant with these regulations is crucial for maintaining investor trust and safeguarding sensitive information.

Comments

Post a Comment

Popular posts from this blog

Streamlining SEC Compliance with Cutting-Edge Software Solutions

Image
 In today's rapidly evolving regulatory landscape, staying compliant with Securities and Exchange Commission (SEC) guidelines is paramount for financial institutions. With the increasing complexity of regulations, manual compliance processes are becoming inefficient and prone to errors. To address these challenges, many firms are turning to advanced SEC compliance software solutions to streamline their regulatory efforts effectively. Understanding SEC Compliance Software SEC compliance software is designed to assist financial institutions in managing and adhering to the myriad of regulations set forth by the SEC. These solutions offer a comprehensive suite of tools to automate compliance tasks, monitor regulatory changes, and ensure adherence to evolving standards. Key Features and Benefits Automated Reporting   SEC compliance software automates the generation and submission of regulatory reports, saving time and reducing the risk of inaccuracies. Risk Assessment and Monitoring  
Read more

Safeguarding the Financial Frontier - Navigating SEC Cybersecurity Enforcement

Image
In an age where digital threats loom large, the Securities and Exchange Commission (SEC) has emerged as a vigilant guardian of the financial frontier, recognizing the critical role cybersecurity plays in preserving market integrity. The SEC's cybersecurity enforcement efforts have intensified in response to the escalating sophistication of cyber threats, reflecting a commitment to maintaining investor confidence and protecting sensitive financial information. This article delves into the realm of SEC cybersecurity enforcement, examining its evolution, key focus areas, notable enforcement actions, and the lessons these actions impart to businesses operating in an era of technological risk. I. Evolution of SEC Cybersecurity Enforcement: The SEC's journey into cybersecurity enforcement can be traced back to its initial foray into guidance in 2011. While the early emphasis was on disclosure, the Commission has evolved its stance, recognizing that enforcement is a critical componen
Read more

Empowering Responsible AI Governance- Exploring Free Proof-of-Concept Solutions

Image
In today's digital landscape, the integration of artificial intelligence (AI) has become ubiquitous, offering unprecedented opportunities for innovation and efficiency across various sectors. However, with this advancement comes the imperative need for responsible AI governance to ensure that AI systems operate ethically, transparently, and accountably. Recognizing this necessity, Essert introduces a groundbreaking initiative - Free Proof-of-Concept (PoC) solutions for Responsible AI Governance. Responsible AI governance encompasses the development and implementation of policies, protocols, and frameworks that guide the ethical use of AI technologies. It addresses concerns such as fairness, accountability, transparency, and privacy to mitigate potential risks and ensure that AI systems serve the common good. However, despite the critical importance of AI governance, many organizations face challenges in initiating comprehensive frameworks due to resource constraints, lack of expert
Read more