Navigating Governance in the Wake of the SEC's New Cybersecurity Directives


As cybersecurity threats evolve and the demand for transparency intensifies, the Securities and Exchange Commission (SEC) has responded decisively. On July 26, 2023, the SEC rolled out new cybersecurity directives targeted at public corporations, entities in the IPO pipeline, and foreign private issuers filing periodic reports. For simplicity, we'll refer to this group as SEC Registrants.

The swiftness of these changes, particularly the stringent 4 Day Deadline, can't be understated in its significance. Dive deeper into the impacts of the new SEC Cybersecurity Regulation here.

Here's a roadmap for these SEC Registrants, especially those racing towards the December 18th compliance deadline:

1. Timely Disclosure of Noteworthy Cybersecurity Incidents 

The SEC now expects Registrants to disclose significant incidents within just four business days once they're identified as material. To gear up, organizations should:

  • Adjust their incident response plans to swiftly determine the significance of breaches.

  • Develop frameworks for analyzing such disclosures, even considering a series of smaller incidents that may cumulatively be material.

  • Update their third-party cybersecurity incident guidelines to ensure timely and appropriate evaluations.

  • Integrate these disclosure practices into breach simulation exercises, being careful to protect sensitive technical specifics.

2. Comprehensive Cybersecurity Risk Management & Strategy 

Beyond immediate incident reporting, the SEC also wants to know about both internal and external cybersecurity measures adopted by the Registrants. Preparations include:

  • A rigorous review of cybersecurity procedures and how they dovetail with broader risk management initiatives.

  • Streamlining with trusted industry standards, like the NIST and ISO frameworks.

  • Engaging external evaluators to rigorously assess current cybersecurity practices.

  • Strengthening oversight of third-party service providers and establishing clear protocols to manage potential risks.

3. Cybersecurity Governance: Leading from the Top 

The governance aspect hinges on demonstrating active management and board involvement in cybersecurity efforts. SEC's expectations revolve around:

  • Maintaining a record of top-level discussions related to cybersecurity, underscoring leadership's commitment.

  • Building comprehensive profiles that highlight the cybersecurity expertise of management figures, emphasizing the pivotal roles they play in steering cyber strategy.

In wrapping up preparations, it's imperative to maintain open channels with legal and compliance teams, ensuring every disclosure aligns perfectly with the SEC's expectations.

While these directives specifically apply to SEC Registrants, their foundational principles offer a gold standard. Companies, irrespective of their direct involvement, would do well to infuse these guidelines into their cybersecurity DNA, securing their defenses for the challenges of the digital future.

Learn more about best practices for “Navigating the National Cybersecurity Strategy.”

Explore the Cyber Resiliency Timeline and get a quick assessment of your own cybersecurity posture.

Christos Tulumba
Chief Information Security Officer