Blog
← Back to Blog
September 10, 2024 financial

SEC Cybersecurity Disclosure Rules Are Now In Effect. Are You Compliant?

SEC compliance and financial regulation

The SEC's cybersecurity disclosure rules are now in full effect. Investment advisors and public companies must disclose material cybersecurity incidents on Form 8-K within four business days and provide annual cybersecurity risk management disclosures. For financial practices, the compliance requirements are now binding.

What's Required

Incident Disclosure (4-Day Window)

Material cybersecurity incidents must be disclosed publicly on Form 8-K within four business days of determining materiality. "Material" means an incident that a reasonable investor would consider important. Ransomware attacks, data breaches affecting client data, and system compromises affecting operations generally meet this threshold.

Annual Risk Management Disclosure

Annual disclosures must describe:

  • Cybersecurity risk management processes
  • Whether cybersecurity risks have materially affected or are reasonably likely to materially affect the company
  • Board oversight of cybersecurity risk
  • Management's role and expertise in assessing and managing cybersecurity risk

Documentation Requirements

To support disclosures, firms must maintain documentation of: risk assessments, security policies, incident response procedures, board/management meeting minutes addressing cybersecurity, and vendor risk management processes.

Compliance Checklist

  1. Establish an incident materiality assessment process. How do you determine whether an incident is material? Who makes that determination? Document the process.
  2. Prepare disclosure templates. Have Form 8-K language ready for common incident scenarios. When the clock starts, you don't want to be drafting from scratch.
  3. Implement board-level cybersecurity oversight. Cybersecurity should be a regular board agenda item with documented discussion and decisions.
  4. Document your risk management program. Written policies for access controls, incident response, vendor management, employee training, and data protection.
  5. Engage legal counsel. Materiality assessments and disclosure language should involve legal review. Establish that relationship before an incident.

The Trend

SEC's rules follow similar movements in other jurisdictions and industries. The direction is clear: cybersecurity disclosure is becoming mandatory across all sectors. Healthcare has HIPAA breach notification. Financial services now has SEC disclosure. Legal and other industries will follow.

The firms that treat cybersecurity as a business risk (not just an IT issue) and establish governance, documentation, and disclosure processes now will be positioned for whatever regulatory requirements come next.