top of page


Highlights from the U.S. Securities and Exchange Commission Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Have heard about the Proposed SEC Cybersecurity rule? It’s anticipated to be final in April 2023 and that’s less than a year away. That’s not a lot of time for a public company to prepare for an unprecedented amount of Cybersecurity disclosures. In support of this rule, you will need to:

  • Develop the required foundational and detailed elements for a fully functioning risk-based security program

  • Pivot your technically founded Cybersecurity Program into a Strategic Board-Level Risk-Driven Program

  • Train your security team on how to be business professionals including reading and writing SEC forms for public disclosure

  • Create publicly facing documentation regarding your Cybersecurity program (this goes against the Cybersecurity industry-standard need to know nature)

  • Reeducate your staff on how to work under Board directions including meeting their demands

  • Find a Cybersecurity Business Trained professional to be on the Board (there are limited business trained Cybersecurity professionals available)

Chief Information Security Officers and Directors of Security need to start preparing now for the upcoming rule. Without early preparation bridging the gaps from technically driven security programs to strategic board-level risk driven approaches, many organizations will be left unprepared for the vital business-driven approaches coming soon. Last thing anyone in the Cybersecurity industry wants to see is a 25%+ drop in stock prices and company valuations because of weak or noncompliant Cybersecurity programs.

You need to get started now and build a Cybersecurity Board-Level Risk-Driven Strategy that offers your company a “snapshot” of your security program effectiveness and maturity. This snapshot will empower you to make informed decisions about your risk-based approach and corollary budget requirements. For the average CISO, this can take 6-9 months+ to transition to this new model. A Cybersecurity Board-Level Risk-Driven Strategy can help avoid the unnecessary investment of time and resources by:

  • Benchmark areas of the program that are operating well and those areas that are not enabling you to focus greater attention to the areas of need while documenting “steady-state” mode for well-tuned operations

  • Analyzing current maturity versus desired maturity levels

  • Measure operational impact balance between people, process, and technology

  • Empowering you to establish the appropriate roadmap and budget to support and defend the chosen direction

  • Graphical depiction of risk versus current and desired budget levels to maximize impact to the largest audience

Want to read the proposed ruling yourself? Here are links to the proposed rule:

I know, it’s 129 pages of light reading… Don’t worry we have pulled out some of the most important pieces for you so you can get right to the important parts:

Proposed SEC Rule Overview

The U.S. Securities and Exchange Commission (“Commission”) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The following is a summary of the proposed rule:

  • Require current reporting about material cybersecurity incidents on Form 8-K

  • Require periodic disclosures regarding, among other things

  • A registrant’s policies and procedures to identify and manage cybersecurity risks

  • Management’s role in implementing cybersecurity policies and procedures

  • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk

  • Updates about previously reported material cybersecurity incidents