New SEC Cyber Disclosure Rules

The new SEC rules require publicly traded companies to enhance and standardize disclosures of cyber incidents. At a high level, the rules require public companies to report “material” cybersecurity incidents within four business days after discovery, as well as file updates on previously disclosed incidents. Additionally, companies are required to disclose their risk management practices and the board’s role in cybersecurity oversight.

Guidance and Tools

Find actionable guidance featured below - part of a more extensive collection of Infosec content available to our clients in the IANS Insights Portal.

2023 SEC Cyber Disclosure Rules Guidance

New SEC Rules: What Even Non-Public Orgs Should Know

SEC Cyber Disclosure Checklist

This two-part piece explains the new SEC rules, details actionable takeaways for even non-publicly traded organizations, and provides a requirements checklist focusing on incident disclosure to enable organizations to assess gaps that need to be addressed quickly.

Complete the form, and we’ll email you a copy of the 2023 SEC Cyber Disclosure Rules Guidance.

Next Steps for CISOs

For CISOs, we recommend the following actions:

Revisit current incident disclosure policies & compare them with the new regulations
Discuss what “material” incidents mean to your org & practice disclosures
Educate executives on the changes & what they mean for the business
Review board oversight structure & responsibilities on cyber matters
Hold tabletops to educate the management team & the board to prepare for cyber incidents
Use analytics to better understand the financial implications of your organization’s cyber risk exposure
Retain third-party auditors to assess your program

Videos

SEC Cyber Disclosure Guidance- Sounil Yu

Sounil Yu, IANS Research

SEC Cyber Disclosure Guidance- Allison Miller

Allison Miller, IANS Research

Additional SEC Cyber Rules Resources

Gain further insight by accessing the following IANS Faculty blogs:

Learn More: New SEC Cyber Rules: What to Do Next

Learn More: Why CISOs Need D&O Liability Insurance Coverage Now

Learn More: CISO SEC Incident Risk: Best Practices Checklist

About IANS

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for making decisions and articulating risk. We provide experience-based security insights for chief information security officers and their teams. The core of our value comes from the IANS Faculty, a network of seasoned practitioners. We support client decisions and executive communications with Ask-an-Expert inquiries, our peer community, deployment-focused reports, tools and templates, and consulting.

Vendor Assessment Community

Tech Briefings