Cybersecurity disclosures proposal from the SEC

November 17, 2022
Access Tech: What does the new SEC cybersecurity disclosure proposal mean for your business?

The U.S. Securities and Exchange Commission (SEC) proposes overhauling requirements for cybersecurity disclosures by company boards: 

“We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.” 

Read the full text from the SEC recommendation here. 

What does this mean for your business? 

Rise in data breaches drives need for more transparency 

In the third quarter of 2022, the number of companies experiencing data breaches continued to outpace all other years. Last month, Info Security Magazine reported a total of 108.9 million accounts were breached in the third quarter of 2022, a 70 percent increase compared to the previous quarter. 

The United States is in the top targeted countries for hackers, adding to the SEC’s urgency to implement new rules. Breaches are costly, and the SEC has an interest in protecting the entire ecosystem from breaches. 

IT personnel play a vital role in helping organizations prepare 

Companies need to do these things now, ironing out any bugs and being prepared for them. And their IT departments have a vital role to play in this process in helping boards craft the proper protocols and language. 

Some of the changes that companies will have to adopt when the SEC rules are finalized include 

  • Require current reporting about material cybersecurity incidents on Form 8-K. 

This rule will require reporting cybersecurity incidents within four days, not of the incident itself, but of the discovery. So, if the company discovers a breach that occurred six months ago, they have four days from discovery.  

Proper reporting can result in strong, attack-resistant systems 

A properly designed reporting system could serve as the foundation for the Commission to assist industry in establishing strong, attack-resistant systems. 

Other proposed rules include disclosing the following: 

  • A registrant’s policies and procedures to identify and manage cybersecurity risks.  
  • Management’s role in implementing cybersecurity policies and procedures. 
  • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk. 

The SEC wants a company to publicly disclose its cybersecurity policies and protocols so that it’s available for anyone to see before entering business. The new SEC rules will also require enhanced and standardized disclosure of a company’s cyber risk management policy. 

According to the SEC, the new rules would require companies to: 

  • Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation. 
  • Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies. 

While failure to follow the new SEC policies won’t result in criminal charges, the SEC can impose fines. Stay ahead and secure. Access Tech has been helping businesses for over a decade implement the newest and latest security software and procedures. Let us help you find the gaps and patch them up. Contact us today for a consultation. 

Read more here

For more insights on this topic: