SEC Adopts New Cybersecurity Risk Management, Governance, and Incident Disclosure Requirements
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules requiring public companies and foreign private issuers to disclose material cybersecurity incidents experienced, along with requirements for annual disclosure of details about their cybersecurity risk management, strategy, and governance. The adoption follows a prolonged comment period and a round of updates to the original rules proposed in March 2022, and represents an effort by the SEC to help investors make informed investment decisions by providing clearer visibility into each company’s commitment towards cybersecurity and the actions taken to protect their systems, data, and people.
Reporting of Material Cybersecurity Incidents and Periodic Reporting to Provide Updates about Previously Reported Incidents
- Registrants will be required to report a material cybersecurity incident within four (4) business days after determining that the incident is material. This will require companies to establish a cyber incident materiality threshold. The disclosure will need to be reported on Form 8-K and include information about the nature, scope, timing, and impact of the material cyber incident.
- Requirements for updates on previously reported material cybersecurity incidents through the registrant’s 10-Ks and 10-Qs for the period in which the update occurred.
Disclosure of Cybersecurity Risk Management, Strategies, and Governance
- Companies are required to disclose information regarding their cybersecurity policies, procedures, and governance for identifying and managing cybersecurity risks and threats.
- Details that registrants will be required to disclose in Form 10-K (and Form 20-F) include:
- Description of the company’s cybersecurity risk management program.
- If the registrant engages assessors, consultants, auditors, or other third parties in connection with the cybersecurity risk management program.
- How the company manages and oversees their vendors and associated access to data.
- A description of how the company undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents.
- If the company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
- How cybersecurity risks are considered and integrated as part of the company’s business strategy, financial planning, and capital allocation.
- Requirements for disclosure about a registrant’s cybersecurity governance, including the board’s involvement, expertise, and oversight over cybersecurity risk.
- Management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Compliance Dates for Registrants
- Compliance with the incident disclosure requirements begins the later of 90 days after the date of publication of the adopting release in the Federal Register or December 18, 2023, and must be reported in Item 1.05 on Form 8-K within 4 business days of the material incident determination.
- Compliance with cyber risk management disclosure requirements will begin with annual reports for fiscal years ending on or after December 15, 2023 (in Form 10-K and Form 20-F).
- Smaller Reporting Companies will have an additional 180 days and must comply with material incident disclosures in Form 8-K on the later of 270 days from the effective date of the rules or June 15, 2024.
What Should Companies Do Now?
- Confirm adequate policies and procedures covering cybersecurity have been developed and implemented.
- Adoption of an annual externally performed cybersecurity risk assessment to identify vulnerabilities and weaknesses and a path forward for resolution and mitigation.
- Assess the Board of Director’s current role in cybersecurity risk and threat assessment, and identify if any members qualify as a ‘cyber expert’.
- Develop or refine the incident response plan to include initial and periodic reporting requirements.
- Update and refine the vendor risk management program.
- Create a methodology for determining if a cybersecurity event is considered material to your organization.
- Harden current security configurations or adopt new security measures to reduce the likelihood and impact of threat actors.
- Update SEC disclosure checklists to comply with the new cybersecurity rules.
How Centri Can Help
At Centri, our IT risk and cybersecurity advisory and SEC compliance and financial reporting services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management and SEC compliance aligns with the specific needs of your company.
Managing Director | CPA, PMP, CISA, CFE
Karyn is a Managing Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio
Managing Director | IT Risk & Cybersecurity Practice Leader | CISA
Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Centri’s Capital Conference
The Centri Capital Conference is a one-day event held at Nasdaq on April 22, 2025. This platform will connect investors with executives from presenting companies in various emerging and rapid-growth sectors, including disruptive technology, life sciences, healthcare, and more. The conference will feature industry panels, dynamic speakers, and networking opportunities and will give growth-oriented private and public companies a place to showcase their innovations.
For more details, contact us at capitalconference@centristage.wpengine.com.
Eight Penn Center
1628 John F Kennedy Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
50 Milk St.
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com