On July 26, 2023, the Securities and Exchange Commission (SEC) introduced comprehensive cybersecurity disclosure rules. These regulations mandate that public organizations provide detailed information regarding their cybersecurity risk management, strategy, governance practices, and any cybersecurity incidents they have experienced. This new set of rules indirectly urges organizations to assess their current cybersecurity framework and target areas of improvement to mitigate cyber threats.
Who Do These Rules Affect?
Effective December 15, 2023, all registrants with the SEC must disclose cybersecurity risk management, strategy, and governance information. Similarly, on December 18, 2023, material incident reporting requirements will also be in effect. All registrants except smaller reporting companies must comply by these dates.
What Kind of Information Do Organizations Have to Disclose?
The new rules require the disclosure of:
- Cyber incidents: Material events or occurrences that compromise the confidentiality, integrity, or availability of data or information systems, often involving unauthorized access, data breaches, or disruptive cyberattacks.
- Registrants must report any incidents they confirm as material on a Form 8-K within four business days after confirmation. They must describe the nature, scope, and timing of the incident in addition to its material impact.
- Cybersecurity risk management and strategy: The systematic identification, assessment, and mitigation of potential cyber threats and vulnerabilities, alongside the development and implementation of proactive measures to safeguard digital assets and data.
- Under Regulation S-K, Item 106 will require the disclosure of the registrant’s process, if any, “for assessing, identifying, and managing material risks from cybersecurity threats.”
- Cyber governance: The framework, policies, and practices an organization employs to oversee and manage its cybersecurity efforts, ensuring alignment with strategic goals, compliance with regulations, and effective risk management.
- Item 106 also requires registrants to explain how their board of directors handles cybersecurity risks and how management assesses and manages significant cybersecurity risks, with these details to be included in their annual Form 10-K report.
How Calvetti Ferguson Can Help Decrease Cybersecurity Risks
With the added pressure of the new regulations from the SEC, it is crucial to stay ahead of the game by reexamining your cybersecurity posture. Calvetti Ferguson provides a number of technology advisory services pertaining to cybersecurity, including our cybersecurity assessment, vendor risk management, penetration testing, vCIO/CISO, and CIRP development capabilities. Our team makes cyber security simple and keeps it aligned with your organization to reduce your exposure to risks. Listed below are just a few of the ways our firm can help your organization:
- Identify and fix security weaknesses
- Avoid costly data breaches
- Decrease the severity of cyberattacks
- Protect sensitive information from unauthorized access, disclosure, modification, or destruction
- Improve the efficiency and effectiveness of cybersecurity risk management
- Keep your client’s information safe
Calvetti Ferguson can help organizations develop a set of best practices and recommendations tailored to their specific needs and risk profile. Integrating these solutions into your organization’s standard operations not only reduces the probability of cyberattacks but also naturally reduces the number of incidents needing disclosure.
Contact Us
Calvetti Ferguson works with middle-market companies, private equity firms, and high-net-worth individuals nationwide. Regardless of the complexity of the compliance, assurance, advisory, or accounting need, our team is ready to help you. Please complete the form below, and we will follow up with you shortly.