Understanding SEC requirements for cybersecurity disclosures

We have developed an overview of the SEC cybersecurity disclosure ruling, with four steps you can take to help prepare and comply with the SEC cybersecurity rules for public companies.

Overview of final rules

The final rules focus on improving and standardizing disclosures related to cybersecurity incidents,² as well as reporting on cybersecurity risk management, strategy, and governance for public companies.

1. Disclosure of cybersecurity incidents
   a. Report “material” cybersecurity incidents within four business days, based on materiality determination, without “unreasonable delay”
   b. Describe the incident’s material impact or reasonably likely material impact
   c. Disclose if one or more of the above required items is not determined or is unavailable at the time of the filing
   
   Periodic Form 8-K Item 1.05
   
   
2. Disclosure of cybersecurity risk, management, & strategy
   a. Disclose processes for assessing, identifying, and managing material risks from cybersecurity threats
   b. Describe how processes have been integrated into an overall risk management system or processes
   c. Describe risks, including those resulting from previous incidents that have materially affected or are reasonably likely to materially affect business strategy, results of operations, or financial condition
   d. Disclose whether cybersecurity program engages consultants, auditors, or other third parties, as well as the processes to identify and manage risk from third parties
   
   Annually 10-K, Regulation S-K Item 106(b)
   
   
3. Disclosure of cybersecurity governance
   a. Describe the board’s oversight of risks from cybersecurity threats, and identify the committee or subcommittee responsible for oversight and the process for informing such committees
   b. Describe management committees or positions responsible for, and experience with, assessing and managing cyber risks
   c. Disclose whether and how management reports cybersecurity information to the board or a committee or subcommittee of the board
   
   Annually 10-K, Regulation S-K Item 106(c)

As per SEC, materiality of an incident is based on company’s evaluation of the incident. The content on this slide is based on Deloitte publication, Heads up, Volume 30, Issue 13, titled ‘SEC Issues New Requirements for Cybersecurity Disclosures.’

Taking action to prepare and comply

Here are four practical steps you can take to prepare for and comply with SEC cybersecurity rules for public companies.

1. Conduct an SEC readiness assessment
   Safeguard the organization’s reputation and protect against cyber risks while complying with SEC rules:
   + Develop a foundation to evolve response capabilities as threats evolve
   + Identify potential risks and address issues promptly
   + Provide evidence that you are taking steps to comply
   + Understand maturity of incident response, escalation, and reporting processes
2. Evolve cyber incident response and reporting capabilities:
   Protect the organization’s interests, maintain trust, and strengthen overall cyber resilience:
   + Define materiality criteria and embed in incident processes
   + Continue to meet disclosure obligations as incidents evolve
   + Learn from past incidents and improve resilience
   + Maintain investor confidence and protect shareholder value
3. Apply stakeholder coordination and orchestration processes
   Develop broad disclosure capabilities that are interconnected:
   + Facilitate timely and appropriate disclosures
   + Combine legal guidance with cybersecurity experience
   + Develop accountability for compliance and disclosure
   + Provide consistent disclosures with transparency
4. Enhance the cybersecurity governance framework
   Provide shareholders with confidence that cyber is a top organizational priority:
   + Strengthen governance by educating the board and management
   + Foster a culture of responsibility and accountability
   + Implement operating models for risk management
   + Identify board committee or subcommittee responsible for cybersecurity oversight

Effective cybersecurity capabilities that are essential for compliance and form the basis of a strong cybersecurity program include, but are not limited to:³ continuous logging and monitoring, enhanced policies and procedures, incident response, and effective governance capabilities.

¹ Securities and Exchange Commission (SEC), “SEC adopts rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies,” press release, July 26, 2023.

² As per SEC, materiality of an incident is based on company’s evaluation of the incident. The content on this slide is based on Deloitte’s “SEC issues new requirements for cybersecurity disclosures,” Heads Up 30, no. 13 (July 30, 2023).

³ The above list is not an exhaustive compilation of all the actions that should be taken, or capabilities deployed. Additional cybersecurity measures and leading practices may also be required to determine protection and compliance with SEC requirements for cybersecurity disclosures.

Get in touch

Learn more about how Deloitte is helping clients navigate understanding and complying with the SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure ruling for public companies.