New Rules Strengthen SEC Cybersecurity Oversight for Public Companies

3 minute read

March 2023

by Julia Winer

The United States Securities and Exchange Commission (SEC) has recently announced a set of new rules aimed at strengthening cybersecurity oversight for public companies. The rules, which were approved in December 2022, are designed to ensure that companies have the proper controls in place to protect against cyber threats, such as unauthorized access, data breaches, and cyber-attacks. These measures include implementing robust risk assessment and management systems, having proper incident response plans, and training employees on cybersecurity best practices. Required disclosures include:

Cybersecurity risk management practices

Under the new rules, companies will be required to disclose more information about their practices and policies, including details on how they assess and manage cybersecurity risks, their incident response plans, and any other cybersecurity risks they face. These disclosures will be required in the company’s annual and quarterly reports filed with the SEC, as well as in other SEC filings.

Incident reports

In the event of a cyber incident, companies will be required to provide timely and transparent disclosure of the incident, including its potential impact on the company’s financial and operational performance and any steps taken or planned to address the incident and mitigate its effects. The SEC will also require companies to have a clear incident response plan in place that addresses the identification, assessment, and management of cybersecurity incidents, as well as communication with customers, shareholders, and regulatory authorities.

Board expertise

Public companies will also be required to disclose more information than before regarding the cybersecurity expertise of their board members. Specifically, the rules will require companies to disclose whether any members of their board of directors have expertise in cybersecurity, and a description of that expertise when applicable. This information could include the board member’s qualifications, professional experience, and any other relevant experience or training related to cybersecurity.

While achieving compliance with these new SEC rules poses a challenge for risk managers, they also provide an opportunity for program maturation. More specifically, by implementing a strong risk management platform, you can maintain compliance with these rules while increasing your operational efficiency:

“Companies trying to comply with these rules must manage all the technical data being generated throughout their organization while identifying the relevant information and producing board-ready reports,” said Andrew Egoroff, Senior Cybersecurity Specialist at ProcessUnity.

“Organizations waste time and resources processing large quantities of data just to find the information their board needs to make decisions about risk. They also have a hard time managing the many processes and procedures required to maintain a defensible cybersecurity program. ProcessUnity customers enjoy the cost and time-saving benefits of a single platform that optimizes their cybersecurity program, from automating program activities to providing full visibility into cyber performance.”

The new rules are set to take effect in April 2023 and will apply to all publicly traded companies. It’s important for companies to start preparing for these new requirements by reviewing their existing cybersecurity policies and procedures and making any necessary changes. Companies should also work closely with their legal, procurement and IT teams to ensure that they are in compliance with the new rules.

The new rules are a step towards a safer and more secure environment for public companies, helping to protect investors and the markets from increasing cyber threats. It is also important to note that, companies should ensure to take all necessary step to protect and handle customer data and information as well, as data privacy and security is a crucial part of overall cyber security of a company.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.