SEC Cybersecurity Disclosure Rules
What Are the Obligations for Your Corporation?
With the constant threat of cyber attacks against corporations of all sizes, the SEC has introduced new cybersecurity disclosure rules to ensure greater transparency and accountability for publicly traded companies. While these new rules aim to modernize the existing disclosure framework, understanding how your organization needs to adapt can be complicated.
Our new Arctic Wolf SEC Cybersecurity Rules guide will help your corporation identify supports to help you align to the new rules and more.
What are the SEC Rules on Cybersecurity Disclosure
On July 26, 2023, the United States Securities and Exchange Commission (SEC) released new rules: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. These new rules were motivated by three trends that raise the importance of timely and reliable information related to an organization’s cybersecurity:
The compliance dates vary by the type of disclosure, with smaller reporting companies receiving longer compliance periods for incident reporting. The rules took effect for all companies other than smaller reporting companies on December 18, 2023. For smaller reporting companies, they have until June 15, 2024 to meet the needed requirements.
The Objective of the final SEC Cybersecurity Disclosure Rule Changes
The objective of the final rules are:
“To enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.”
In particular, the final rule contains specific requirements for:
Cyber incident reporting, including mandatory and speedier reporting of “material” cybersecurity incidents
Cyber risk management and strategy, explaining how the organization assesses, identifies, and manages material risks from cyber threats
Cyber governance, describing the board’s oversight of cyber risks and management’s related roles and expertise
Arctic Wolf’s SEC Cybersecurity Disclosure Rules FAQs
What organizations are impacted by the new rules?
The new rules apply to all registrants reporting under the 1934 Securities Exchange Act and include comparable requirements for foreign private issuers (FPIs).
When do the new rules come into effect?
All registrants are subject to the updated disclosures for risk management,
strategy, and governance, with the new rules applying for fiscal years
ending on or after December 15, 2023. For larger registrants, the material incident disclosure requirements come into effect on December 18, 2023; smaller reporting companies have a 180-day deferral (essentially an acknowledgment that smaller organizations will have more work to do to be able to meet the new requirements).
What counts as an “incident”?
The SEC defines an incident as, “an unauthorized occurrence, or a series of
related unauthorized occurrences, on or conducted through a registrant’s
information systems that jeopardizes the confidentiality, integrity, or
availability of a registrant’s information systems or any information
residing therein.
How is “materiality” determined?
The SEC states that determination of materiality should be based on federal securities law materiality; notably, this means that the determination extends well beyond the technical details of an incident.
What timelines apply to incident disclosures?
The SEC requires that “an Item 1.05 Form 8-K must be filed within four
business days of determining an incident was material “and that “registrants must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material”— making timely and accurate information critical to the materiality assessment
process. Filing may be delayed “if the United States Attorney General
determines immediate disclosure would pose a substantial risk to
national security or public safety.” Additionally, “registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.”
How Arctic Wolf Can Help
Arctic Wolf’s Security Operations Cloud and Concierge Delivery Model supports your ability to fulfill the SEC’s new cybersecurity disclosure requirements with:
Cybersecurity Strategy Reporting
Equipping you with detailed information
and security documentation that helps you
demonstrate the existence and efficacy of
your cybersecurity program
Cybersecurity Event Intelligence
Providing the information and expertise needed to transform operational data into insights that allow your board to incorporate cyber risk into the wider business strategy
Incident Response & Reporting
Responding to incidents and equipping your organization with deep technical data to help guide materiality assessments, make disclosure decisions, and meet reporting obligations
Breach
Mitigation
Helping you proactively harden your security
posture to increase your resilience to cyber threats, backstopped by 24×7 monitoring to
rapidly detect and contain attacks
Explore how we support these components in-depth, as well as actionable insights into the rule as a whole, by downloading our guide.
Get Expert Advice From The Webinar
On-Demand Webinar
An Arctic Wolf Overview of the SEC Cybersecurity Disclosure Rules
View our webinar to get an expert overview of the new rules and learn how we support corporations with the capabilities they need for reporting on their cyber strategy and practices.
Join Arctic Wolf CISO Adam Marre, Product Marketing Manager Mike McCleary and Jon Oltsik, an ESG distinguished analyst, fellow, and the founder of the firm’s cybersecurity service, for a webinar designed to provide an expert overview of the new rules and their requirements, as well as demonstrate how we support corporations with the capabilities they need for reporting on their cyber strategy and practices.
Connect with the Arctic Wolf Cybersecurity Team Today
A combination of Arctic Wolf security operations solutions coupled with expert insights from our Concierge Security® Team (CST) can guide your organization through Arctic Wolf’s mission to End Cyber Risk. Fill out the form to learn more and we’ll be in touch with you shortly.
