Insights
We are proud to be named a West Coast Regional Leader for 2024
Ongoing SEC cybersecurity requirements
ARTICLE | May 30, 2024
Authored by RSM US LLP
The U.S. Securities and Exchange Commission in July 2023 released final cybersecurity rules requiring public companies to disclose details on material incidents as well as information on cybersecurity risk management, strategy and governance.
The SEC's move to extend its cybersecurity requirements signifies a pivotal evolution in the regulatory landscape. It demands proactive measures, strategic planning, a holistic approach to safeguarding data and operations, and a shift from an approach emphasizing regulatory environments versus the broader enterprise. The SEC cybersecurity rules require a closer focus on three areas: oversight of cyber risks, cyber risk management, and disclosure of material incidents and risks.
While many larger public organizations likely already have processes and resources in place to meet these requirements, emerging and middle market public companies may need to make structural and cultural changes to enhance or adopt cybersecurity oversight, management and reporting processes to comply with the final rules.
The rules require the disclosure of cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers) within four business days if deemed material. Registrants must describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant in the newly introduced Item 1.05 of Form 8-K. Delayed filing is allowed if the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety.
In addition to completing Form 8-K, registrants must file Form 10-K to describe their cybersecurity risk management and strategy, management’s role in assessing and managing material risks from cybersecurity threats, and their board of directors’ oversight of cybersecurity risks.
The SEC rules define three key terms as follows:
- Cybersecurity incident: An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity threat: Any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
- Information systems: Electronic information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the registrant’s information to maintain or support the registrant’s operations.
To properly assess the aggregation of related immaterial incidents, registrants must continually refine their incident response management process. This includes maintaining a robust incident logging process to record incident details. Ongoing evaluation of materiality arising from the aggregation of these incidents is imperative to enable informed disclosure decisions.
In light of the SEC's broadened cybersecurity requirements, organizations must adopt a proactive stance to achieve compliance and enhance their overall security posture. Consider the following crucial steps to guide you on this journey:
- Conduct comprehensive asset inventory and management.
- Implement a unified control framework.
- Balance compliance and protection.
- Implement continuous control assessment and monitoring.
In addition to the SEC issuing new rules, the U.S. Federal Trade Commission amended its Standards for Safeguarding Customer Information to require all nonbanking financial institutions to report a data breach incident within 30 days after discovery if it involves the information of at least 500 consumers. That Safeguards Rule update will go into effect in May 2024.
Let's Talk!
Call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we'll contact you to discuss your specific situation.
Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/ongoing-sec-cybersecurity-requirements.html
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.
Vasquez + Company LLP has over 50 years of experience in performing audit, tax, accounting, and consulting services for all types of governmental entities, nonprofit organizations, private companies, and publicly traded companies. We are the largest minority-controlled accounting firm in the United States and the only one to have global operations, and certified as MBE with the Supplier Clearinghouse for the Utility Supplier Diversity Program of the California Public Utilities Commission.
For more information on how Vasquez can assist you, please email solutions@vasquezcpa.com or call +1.213.873.1700.
Subscribe to receive important updates from our Insights and Resources.