top of page

SEC Announces New Cyber Rule

Once enacted, these rules will likely provide greater transparency, clarity, and measurability for executives, shareholders, employees, customers, and regulators alike, while also helping ensure that all parties are on the same page when it comes to some of the most important cybersecurity decisions and management strategies an organization can make. 


While beneficial in the long run, these rules changes will be felt most significantly in the short term at a time when cybersecurity budgets are being cut and resources are being stretched. Perhaps most significantly, public companies will – The new rules would also affect previously disclosed incidents. In these cases, registrants would be required to amend Forms 10-Q and 10-K with updated disclosure statements. 


Further, registrants would also be required to amend these forms “to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.”


This rules, which were penned by the SEC last year and have since gone through two public comment periods also requires public companies, among other things, to disclose:


Management's role in implementing cybersecurity policies and procedures, including board of directors' oversight of cybersecurity risks;


Its Board of Directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk.


What You Should Do Right Now

Additionally, we strongly urge you to take a comprehensive review of your incident response plans (IRPs) to determine your organization's current cybersecurity event reporting requirements. These requirements include your mandatory reporting timeframe, who you're reporting to, and what information you must share.


If these new rules and their various requirements have your head spinning and you need more thorough guidance, the Fortalice team is at your service:


Updating Incident Response Plans: Our Custom Solutions team is highly skilled in weaving policy requirements into our clients' incident response plans, so you'll never be concerned that your organization is missing the mark with one of the government's latest rules or requirements.


Test Your Incident Readiness: The Fortalice Strategic 


Communications team is ready to help you test out your updated IRPs through tailored tabletop exercises that fit your organization's ever-expanding and continuously evolving security needs.


Provide More Detailed Overview: Working together, our Custom Solutions and Strategic Communications teams can provide a more detailed analysis of the proposed new rules as well as an assessment of how each rule stands to affect your organization and its resources.


bottom of page