SEC’s Proposed New Rules on Cybersecurity Risk Management & Disclosure

Public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 might soon face additional new requirements. The Securities and Exchange Commission (SEC) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting.

Sunlight is the Best Disinfectant

The proposed regulations don’t quite put you under a microscope, but they let in more sunlight to equip investors with greater visibility. The SEC states, “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”

Rob Wilkinson, Lead Security Consultant, at Netrix Global LLC., said, “These changes could be the impetus for many organizations to finally elevate their cybersecurity capability. Organizations large and small can get breached, but the quality and transparency of their incident response should speak volumes to investors.”

While mandated exposure can be anxiety-provoking , the upside is that improving your cybersecurity program will improve your security posture, reduce the likelihood you’ll suffer an attack, and minimize the negative impacts if you do.

Increasing Cybersecurity Threats Require Increased Reporting

Cybersecurity threats pose an escalating risk to public companies, investors, and market participants. The SEC cites increasing cybersecurity risks due to:

  • Digitalization of registrants’ operations
  • Prevalence of remote work
  • The ability of cyber-criminals to monetize cybersecurity incidents, such as through ransomware, black markets for stolen data, and the use of crypto-assets for such transactions
  • Growth of digital payments
  • Increasingly sophisticated methods used by cybercriminals
  • Increasing reliance on cloud-based Software as a Service

Mr. Wilkinson notes, “Supply chain attacks in recent years have highlighted the importance of making sure your trusted vendors have incident response programs too. At Netrix, we help our customers build third-party risk management processes to quickly measure risk and advise application owners without unnecessarily disrupting procurement.”

Cybersecurity incidents are resulting in various increasing costs and adverse consequences for both companies and their investors. Additionally, SEC staff has observed incident reporting that is inconsistent and not timely, such as smaller companies providing less disclosure, and incidents being reported in the media, but not disclosed in a registrant’s filings.

Investors Recognize the Importance of Cybersecurity Risk Management

Considering the importance of technology, investors are interested in cybersecurity risk management, and cybersecurity incidents can affect a company’s share price.

This all drives SEC to conclude that investors would benefit from more timely and consistent disclosure about material cybersecurity incidents, as well as greater availability and comparability of disclosure by public companies regarding their cybersecurity risk management practices.

New, Additional Disclosure Obligations

The SEC’s proposed amendments require periodic disclosures about a registrant’s overall approach to cybersecurity, including:

  • Policies and procedures to identify and manage cybersecurity risks
  • Current reporting about material cybersecurity incidents
  • Clearly defining the threshold for when immaterial incidents become material
  • Updates about previously reported cybersecurity incidents
  • Description of policies and procedures, if any, for the identification and management of risks from cybersecurity threats
  • Disclosure of the level of cybersecurity expertise, if any, and oversight by the board of directors and management

What to Disclose and When

The rules require registrants to file an Item 1.05 Form 8-K within four business days of a material cybersecurity incident. These four days begin on the date you determine the incident is material, rather than the date of discovery of the incident.

The rules stipulate the scope of the disclosure that’s required, including when the incident was discovered, its impact, and its outcome. Registrants must also provide updates on previously disclosed incidents.

When in Doubt, Disclose

The guidance helps companies determine when they may be required to disclose info about cybersecurity risks and incidents. However, some of the listed conditions include the modifier “material.” Including quotes from previous case law, the SEC proposal states, “Information is material if, ‘there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have ‘significantly altered the ‘total mix of information made available.’”

It seems to be increasingly difficult to gauge what is “reasonable,” but SEC has attempted to define “material,” including descriptions such as “materiality depends on the significance the reasonable investor would place on the information.”

Additionally, The Supreme Court recognized that doubts as to the critical nature of info will be commonplace. However, doubts should be resolved in favor of those the statute is designed to protect: investors. SEC advises, “Even if the probability of an adverse consequence is relatively low if the magnitude of the loss or liability is high, the incident may still be material.”

The Worldwide Trend of Increasing Cybersecurity Legislation

“These changes are part of a larger trend in increasing oversight as well as the specificity of cybersecurity requirements. For example, privileged access management, and multi-factor authentication. Some cybersecurity controls that were first implemented by large enterprises were, at one time, overkill for SMBs. But there’s growing recognition that SMBs require similar comprehensive security efforts since they face just as much risk – if not more. Attackers want easy targets,” said Mr. Wilkinson.

Other new regulations include the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the 2022 EU Cyber Resilience Act.

Elevating the Profile of Senior IT Management

“The new proposal requires a level of business acumen from your senior management that extends beyond the technical . You’ll need a CISO with the credibility and communications skills to translate cybersecurity controls into business conversations,” said Mr. Wilkinson.

“Some organizations may have gaps in their C-level information security leadership, which will make compliance difficult. They’ll need to raise their expectations for IT security, elevating their approach beyond the technical to encompass strategic leadership. That’s where our long-standing Virtual CISO (vCISO) service fits in,” Mr. Wilkinson added. A Netrix vCISO helps organizations to build and run practical, effective information security programs that are aligned with the organization’s risk tolerance and business strategy. Reach out to explore how Netrix can partner with you to provide executive leadership, effective communications, and a thorough review of key metrics.


Rob Wilkinson

Lead Security Consultant

Rob Wilkinson is a technology executive with sixteen years of experience leading IT in diverse businesses across the globe.  He has a foundation in engineering with specialized certifications in cybersecurity, combined with the ability to map strategic vision to meaningful, well-managed projects.  Rob’s enthusiasm for the industry is centered on building strong relationships between disparate teams and becoming a trusted advisor.