New SEC Rules on Cybersecurity: Strengthening Information Security Programs for a Resilient Future

In a rapidly evolving digital landscape, cybersecurity has become a paramount concern for businesses and investors alike. Acknowledging the significance of this issue, the U.S. Securities and Exchange Commission (SEC) just adopted new rules aimed at enhancing cybersecurity risk management, strategy, governance, and incident disclosure by public companies. SEC Chair Gary Gensler emphasized the need for consistent and decision-useful disclosures, benefitting both investors and businesses. These rules, effective 30 days following their publication, will have a profound impact on information security programs.

The SEC's New Rules: A Step Towards Transparency

The newly adopted rules, requiring registrants to disclose material cybersecurity incidents and annual information on their cybersecurity risk management, strategy, and governance, mark a significant stride towards increased transparency in the business world. By mandating consistent and comparable disclosure practices, the SEC aims to empower investors with better insights into a company's cybersecurity posture, enabling them to make informed decisions.

Registrants will now be obligated to disclose any material cybersecurity incident on Form 8-K, along with details about the incident's nature, scope, timing, and its potential impact on the company. Such disclosures must be made within four business days of determining the incident's materiality. However, disclosure can be delayed if it poses a substantial risk to national security or public safety, as determined by the United States Attorney General.

The new rules also introduce Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks arising from cybersecurity threats. Additionally, registrants must divulge the board of directors' oversight of these risks and the expertise of management in handling cybersecurity threats. These disclosures will be part of a registrant's annual report on Form 10-K, ensuring a comprehensive overview of their cybersecurity practices.

Implications for Information Security Programs

For businesses, these new SEC rules are a wake-up call to bolster their information security programs. A mature information security and business continuity capability is now more crucial than ever. Organizations must not only focus on preventing cyber incidents but also on efficiently managing and mitigating their impact when they occur.

To build an effective information security program, companies can turn to the recently released Ultimate Guide to Information Security and Continuity developed by OCEG. This comprehensive guide outlines the fundamental components of an information security program and presents good practices drawn from leading global sources of guidance. By following the OCEG GRC Capability Model as described in the Guide, businesses can develop, implement, and continually improve their information security programs, enhancing effectiveness, efficiency, and operational resiliency.

By mandating consistent and comprehensive disclosure practices, the SEC’ new rules seek to empower investors with valuable insights while compelling companies to prioritize and strengthen their information security programs. To navigate these changes successfully, businesses can turn to the Ultimate Guide to Information Security and Continuity for a roadmap to developing robust information security programs and streamlining the compliance process.

Unlock OCEG's Ultimate Guide to Information Security & Continuity Today

OCEG's Ultimate Guide takes the guesswork out of developing, managing, and improving information security programs, providing organizations with a valuable tool to assess and enhance their cybersecurity practices. Notably, for investors, underwriters, and other external stakeholders, the Guide serves as a benchmark to evaluate and reward organizations that excel in their information security efforts.