SEC Final Rule: Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure
How do you prepare for the new mandates?
Timely notification of ‘material’ cybersecurity incidents on a Form 8-K within four business days of detecting an incident determining an incident is material describing the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.
Updated disclosure on previously disclosed cybersecurity incidents in amendments on Form 8-K.
Companies can request more time if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national or public safety and notifies the Commission.
Incidents are considered material if it has the potential to significantly impact the price of a security or influence an investor’s decision to buy, sell, or hold a security. “Material” cybersecurity incidents would have to be reported on a Form 8-K within four business days of detecting the incident, along with updated disclosure on previously disclosed cybersecurity incidents in amendments to the Form 8-K.
including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing material cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.
and the incorporation of cyber security risk into business strategy for investors and shareholders to assess whether companies will become more resilient or conversely, more vulnerable to cybersecurity risks in the future.
Timely and consistent disclosure about material cybersecurity incidents aids investors in decision-making, strengthening investor trust.
Disclosure about the impact of cybersecurity risks on business strategy enables investors to ascertain whether companies will become more resilient in the future.
Disclosure about the board’s oversight informs investors about the role of the board in cybersecurity risk management, which may help inform their investment and voting decisions.
BluOcean will rapidly assess your current risk management program with a comprehensive toolset to drive quality and efficiency in our delivery. We have invested in educating our team on the SEC ruling to be able to effortlessly collaborate with all your key stakeholders across the organization including the CFO, legal team, CISO, and others to build a compliant cybersecurity risk governance model. BluOcean brings a multidisciplinary team with a variety of backgrounds and skills to holistically address your cyber risk management program at all levels.
We first work to define what materiality and material incidents look like in your organization using our SEAhorse solution to create a high value asset and material risk inventory with quantifiable impacts, along with a review of your current board and risk management strategy. This leaves us with a high level overview of your organization and where gaps may lie. A deep dive is conducted after to truly understand your current capabilities with a thorough documentation review of all your policies and procedures, incident response plans, risk assessments, organization charts, operating models, and board meeting presentations and notes. This unlocks a detailed view of your gaps to begin to understand how to address and remediate them. Those gaps are analyzed by our cybersecurity experts to create a strategic prioritized roadmap with recommendations taking into consideration your in-flight cyber initiatives.
Workshops with key internal stakeholders are then conducted surrounding this roadmap to develop a remediation plan with measurable tracking, reporting, and outcomes. BluOcean takes a quick and comprehensive approach to address your regulatory needs to aid your CISO, CFO, and legal team through navigating an evolving regulatory landscape.
The final rule was published in July 2023.
For incident disclosure:
December 18, 2023 for all companies or 90 days after rule publication in Federal Register
June 15, 2024 for small reporting companies or 270 days from the effective date of the rules
For risk management and governance disclosure:
December 15, 2023
At minimum your company should assess and ensure that you have written attestation of all requirements outlined in the final rule.
Among other things, your readiness checklist includes documented processes for:
Cyber risk assessment which categorizes and prioritizes cyber risk based on an inventory of organization’s high-value assets and the potential impact of a cybersecurity incident;
Cybersecurity vulnerability assessment to assess threats and vulnerabilities;
A written incident response plan that defines how the organization will respond to and recover from a cybersecurity incident, including reporting structure and cadence;
A business continuity plan designed to ensure uninterrupted operations;
Tabletop exercises to review and test incident response and business continuity plans;
BluOcean can provide a prioritized strategic roadmap along with your assessment findings that includes an estimate of cost and time to complete each initiative.
If you’re interested in understanding where your organization stands with the final release of the SEC rule, you can contact us to learn more.
Interested in working together? Fill out some info, and we will be in touch shortly.
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
BluOcean Digital is a cybersecurity & privacy firm that’s building a future where trust is at the heart of technology by elevating security to the strategy table—one client at a time.
