Navigating the New SEC Cybersecurity Rules: A Deadline Reminder and FAQs

The financial sector is bracing for a significant shift with the U.S. Securities and Exchange Commission (SEC) “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule taking effect on December 18, 2023.

As the deadline looms, financial firms must have mechanisms in place to comply with cybersecurity reporting and disclosure requirements on annual and periodic forms. 

What does this mean for your company?  

Public companies subject to the reporting requirements under the Securities Exchange Act of 1934 must disclose any cybersecurity incident that is “determined to be material”i and describe the material aspects of the incident on amended form 8-K within four business days of determining an incident was material. Additional periodic reporting is also required to disclose any previously unreported material cyber incidents or material “changes, additions, or updates” on quarterly report Form 10-Q or annual report Form 10-K, whichever is next in the reporting sequence.  

Furthermore, covered firms must also disclose information related to their processes for assessing, identifying, and managing material risks from cybersecurity threats, and whether any previously identified threats “have materially affected or are reasonably likely to affect” the entity.ii Finally, covered firms must disclose information related to the Board of Directors (or Executive Committee, as applicable) oversight of cybersecurity risk in annual reporting (Section 106(c) on Form 8-K).  

In order to facilitate effective reporting that satisfies the new regulatory requirements while also protecting the business, entities must have visibility into the cyber threat vectors impacting their business. This enablement requires a cohesive and integrated suite of data security and cybersecurity solutions including data governance, endpoint threat detection, network threat detection, cloud security monitoring/threat detection, logging, and 24×7 security monitoring.   

It’s crucial to acknowledge that the deadline is a call to action for registered financial firms who must begin complying with the reporting requirements in the next reporting cycle. In this blog post, we’ll delve into the critical aspects of the new SEC rule, address FAQs and explore how Thrive can provide solutions and guidance to navigate this new landscape. 

Understanding the SEC’s Cyber Risk Management Rules 

The SEC’s recent rule update emphasizes the need for robust cybersecurity monitoring and reporting measures from both a technical product and corporate process perspective –. The December 18th deadline is significant, highlighting the urgency for firms to enhance their cybersecurity posture and reporting mechanisms. 

FAQs: Decrypting the SEC Cybersecurity Rule 

Q1: Why is Detection and Response Crucial? 

A1: Detection and response are paramount in the new SEC cybersecurity landscape. Quick correlation of incidents is vital for containing and mitigating threats before they materially impact the business and/or clients and investors. According to the 2023 Verizon Data Breach Investigations Report, approximately 60% of incidents were discovered within days. However, 20% could take months or more before organizations realized something was amiss, which poses a significant risk. These findings showcase the importance of proactive oversight, tools and collaboration with Managed Security Service Providers (MSSPs). Furthermore, without a clear understanding of an active threat and associated impact, proper regulatory reporting and client disclosures becomes a harrowing process. 

Q2: I’m Not Sure What Our Current Capabilities Are – What Steps Can We Take? 

A2: SEC-based readiness assessments can assist with identifying IT compliance alignment with SEC rules and provide clarity for strategy development around any areas of improvement. This process will help identify gaps in cybersecurity measures and lay the groundwork for effective compliance strategies. Managing your assessment output and strategic initiatives through our vCISO service is a powerful combination that can deliver lasting results while creating business value.  

Q3: How Can Thrive Assist in SEC Compliance? 

A3: Thrive, a Managed Security Service Provider (MSSP) with over two decades of experience in financial IT, stands as a trusted partner in navigating SEC cybersecurity rules. Our dedicated POD approach combines technical and industry expertise, ensuring positive outcomes. Thrive offers a wide range of services, including SEC Readiness Assessments, Managed Detection and Response (MDR) and Security Operations Center (SOC) services, incident response planning, policy development, IT compliance and vCISO advisory. Having a defined corporate governance committee responsible for IT compliance is also integral to fulfilling the new rule requirements. 

Thrive’s Solutions for SEC Compliance 

Thrive’s comprehensive suite of services addresses the specific needs outlined by the SEC: 

• SEC-Readiness Assessments: Identify alignment with SEC IT Compliance requirements and define a tailored strategy to improve your firm’s posture. 
• Managed Detection and Response: Leverage our SOC to enhance your organization’s threat detection, investigation, and containment capabilities. 
• Incident Response Planning & Policy Development: Establish robust incident response protocols and policies aligned with SEC guidelines. 
• vCISO Advisory: Thrive is a trusted security advisor, aiding in committee definition and fulfilling the new rule requirements. 

Prepare Today for a Secure Tomorrow 

Thrive’s wealth of experience and tailored solutions position us as a reliable partner in navigating this complex landscape.  

Fill out the form below to contact Thrive today to discuss how we can support and enhance your IT Compliance transformation initiatives.