SEC cyber regulations checklist: 7 things you can do to prepare

SEC cyber regulations apply to a broad range of roles within public companies and the financial services industry specifically. These seven steps will help your organization build a strong cybersecurity structure.

In 2023, the U.S. Securities and Exchange Commission (SEC) adopted rules to standardize the disclosure of cybersecurity incidents, as well as the annual disclosure of risk management, strategy, and governance. However, organizations are struggling to be compliant with the new regulations.¹

"Compliance with the new SEC rules presents a distinctive challenge as each registrant must determine their own processes for complying with them," Don India, CEO of RadarFirst, told Forbes.

Preparation is key to overcoming the challenges of compliance. Here are seven things your organization can do to be ready for when a cyber incident occurs.

1. Understand the scope of material information in your organization

The SEC defines materiality as "information that a reasonable investor would consider important when making an investment decision." This is the data that will determine if there is a compliance failure in a cyber incident. Learn what information in your network meets the materiality designation and what system tools are necessary to add layers of protection and make quick determinations if this information is impacted during a breach.

2. Learn the SEC 8-K disclosure requirements

The new rules add Item 1.05 to Form 8-K.² This item requires disclosure of the following information regarding a material cybersecurity incident:

• The material aspects of the nature, scope, and timing of the incident; and
• The material impact or reasonably likely material impact on the registrant, including on the registrant's financial condition and results of operations.

3. Review your incident response program

Under the new rules, organizations must report a cyber incident within four business days. That requires a swift and well-organized action plan. An incident response program sets up a team that includes security and IT, legal, HR, communications, and leadership and board representation who create an incident response plan and conduct regular practice drills for preparedness. The incident response team should also develop an action plan specifically around the requirements of the SEC cyber regulations.

4. Implement a cybersecurity governance program

The incident response program is about the actions after an incident. A governance program is about actions to take before an incident. Governance programs create the paths of communication between the cybersecurity teams and leadership to ensure compliance and regulatory policies are in place and that all cybersecurity practices meet business goals.

5. Conduct audits and tests of the network infrastructure

You should know where potential problems are in your system. Audits, penetration testing, and a complete diagnostic overview of the entire cybersecurity program will uncover weaknesses and vulnerabilities, allowing you to close gaps that could result in SEC-related breaches.

6. Build a strong cybersecurity culture across the organization

Cybersecurity is everybody's responsibility. A strong cybersecurity program will include regular awareness training for all employees and the establishment of strong policies and procedures that everyone is expected to follow, including how to report something suspicious.

7. Be ready for change

The reversal of the Chevron Doctrine is expected to have significant implications for cybersecurity regulations, including:

• Increased vulnerability to legal challenges
• A more fragmented regulatory environment for organizations operating in multiple regions
• Heavy reliance on clear legislation to withstand legal scrutiny
• Potential slowdown in regulatory response, potentially hindering agencies' ability to address quickly emerging threats

The regulatory landscape for cybersecurity is changing rapidly and poses significant challenges for companies that need to comply with different standards and expectations. By implementing these seven strategies, organizations not only reduce the risks and costs of non-compliance, but also improve their resilience and reputation in the digital era.

¹ Bob Zukis, "Companies Are Already Not Complying With The New SEC Cybersecurity Incident Disclosure Rules," Forbes, March 4, 2024.

² "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure," SEC.gov, April 19, 2024.