Cloud Incident Response Blog | Cado Security

Three Things You Must Know About the New SEC Cyber Disclosure Rules

Written by Calum Hall | Apr 26, 2024 1:23:48 PM

The Securities and Exchange Commission (SEC) has introduced new cyber disclosure rules that require public companies to provide more transparency and accountability in reporting cybersecurity incidents and governance. These new rules aim to give investors a clearer picture of how companies manage cybersecurity risks and respond to incidents.

The short blog looks to highlight three important aspects of the new SEC legislation that you need to know about.

1. The Importance of Timely Disclosure

Under the new rules, companies are required to disclose material cybersecurity incidents in a timely manner. This does not necessarily mean immediately, the SEC considers this to be within 4 business days of an incident being declared material. So while notifying the SEC is a priority, there is still time between the discovery of an incident and its reporting.  

This requirement is considered important to the goal of the new legislation because timely disclosure allows investors to make informed decisions based on the most up-to-date information about a company's cybersecurity posture. It also encourages companies to take swift action to mitigate the impact of incidents and protect their assets.

 

2. Mandatory Disclosure of Cybersecurity Governance

The new rules mandate that companies disclose details about their cybersecurity governance, including how the board of directors and management oversee cybersecurity risks and incidents. This includes information about the processes and policies in place to manage and mitigate cybersecurity risks.

By requiring companies to be transparent about their governance practices, the SEC aims to hold companies accountable for their cybersecurity strategies. This level of transparency can also build investor confidence in a company's ability to handle cybersecurity challenges.

 

3. Annual Reporting of Cybersecurity Risk Management

Another key aspect of the new SEC rules is the requirement for companies to provide an annual report on their cybersecurity risk management and strategy. This report should detail the company's approach to identifying, assessing, and managing cybersecurity risks.

The annual report gives investors insight into a company's long-term strategy for addressing cybersecurity threats. It also helps companies stay focused on continuously improving their cybersecurity practices to adapt to evolving threats.

 

Preparing For Compliance 

The new SEC cyber disclosure rules are significantly changing how companies must approach cybersecurity, transparency, and governance. Understanding these three aspects, timely disclosure, mandatory disclosure of governance, and annual reporting of risk management is essential for both companies and investors.

To prepare for compliance with the new rules, companies should assess their current cybersecurity practices and governance structures. Proactive measures, such as implementing robust incident response plans and regularly updating risk management strategies, can help companies navigate these new requirements successfully.

If you want to see how the Cado platform can help you ensure compliance with the latest cybersecurity legislation and regulations contact our team to schedule a demo.