Insights

SEC Final Rule

Article Cybersecurity

In July of 2023, the SEC adopted a new rule requiring companies to disclose cybersecurity incidents within a tighter timeframe than previously mandated. 

Cyberattacks can have devastating consequences for individuals, businesses, governments, and society at large, ranging from identity theft and financial losses to disruption of critical infrastructure and national security. For publicly traded companies in particular, the damage of a cyberattack can cost money, time, and worst of all – reputation.

The Role of the SEC in Cybersecurity
To protect investors, securities, and the overall capital markets, the Securities and Exchange Commission (SEC) evaluates the threat landscape and considers how to productively regulate publicly traded companies to be more secure, resilient, and transparent. The SEC is encouraging corporations to maintain adequate cybersecurity policies and procedures, disclose material cyber risks and incidents, and safeguard confidential customer information.

The SEC Final Rule
In July of 2023, the SEC adopted a new rule requiring companies to disclose cybersecurity incidents within a tighter timeframe than previously mandated. The new regulation aims to enhance and harmonize the disclosures that organizations provide about their cybersecurity risks, policies, practices, and events. The rule reflects the increasing importance of cybersecurity in the rapid development and adoption of digital technologies, Artificial Intelligence (AI), hybrid work models, cryptocurrencies, and the growing sophistication and profitability of cyberattacks, which escalate the potential impact and costs of cybersecurity issues.
The SEC Final Rule emphasizes the Disclosure of Cybersecurity Incidents, as well as the communication of Cybersecurity Risk Management, Strategy, and Governance for public companies. Apex can help your organization comply with the new rules by providing guidance on the following directives.

Disclosure of Cybersecurity Events:

  • The new Item 1.05 of Form 8-K requires that registrants report any material cybersecurity incident within four business days after determining that it was material.
  • The report should include the key details of the incident's nature, scope, and timing, and how it affected or might affect the registrant, including its finances and operations. 
  • The US Attorney General may allow a 30-day delay in reporting if disclosing the incident would be too risky for national security or public safety. 
  • If new information about a material incident becomes available or known after the first Form 8-K filing, an amended Form 8-K is required.

Cybersecurity Risk Management, Strategy, and Governance:

  • Companies must also explain in their Form 10-K how they assess, identify, and manage significant risks from cybersecurity threats, if any, including whether they have integrated the cybersecurity processes into their overall risk management system or processes and how, whether they use assessors, consultants, auditors or other third parties for such processes, and whether they have processes to monitor and identify significant risks from cybersecurity threats related to their use of any third-party service provider.
  • Companies must also disclose whether any risks from cybersecurity threats, including from any past cybersecurity incidents, have materially impacted or are reasonably likely to materially impact the registrant - including its business strategy, results of operations, or financial condition and if so, how. 
  • The new rules also require disclosures about the Board of Directors' (BOD) role in overseeing risks from cybersecurity threats and management's role in evaluating and managing major risks from cybersecurity threats.

The SEC Final Rule emphasizes the Disclosure of Cybersecurity Incidents and the communication of Cybersecurity Risk Management, Strategy, and Governance for public companies. 

Apex Systems’ Cybersecurity Solution
With Apex’s cybersecurity knowledge and experience, your organization can address the new SEC regulations and we can help secure your organization’s environment and deter cyber threats. Our custom solutions and services can guard your company’s interests, preserve trust, and enhance overall cyber resilience.

Apex provides guidance and assistance to financial institutions and other entities regulated by the SEC in complying with the agency's cybersecurity regulations and guidelines. Here’s an overview of what we offer to our customers:

Regulatory Compliance and Gap Assessment

  • Conduct a comprehensive assessment of the organization's current cybersecurity posture against relevant SEC regulations and cybersecurity guidance.
  • Identify gaps and deficiencies in the organization's cybersecurity policies, procedures, and controls compared to SEC requirements.
  • Develop a remediation plan to address identified gaps and enhance the organization's cybersecurity posture to achieve compliance.

Policy and Procedural Development

  • Develop and implement cybersecurity policies, procedures, and controls tailored to the organization's specific business operations and regulatory obligations.
  • Ensure alignment with SEC regulations and industry best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Risk Management and Assessment

  • Conduct cybersecurity risk assessments to identify, prioritize, and mitigate risks to the confidentiality, integrity, and availability of sensitive financial data.
  • Develop risk management strategies and controls to address identified risks and vulnerabilities.

Incident Response Planning

  • Develop and implement an incident response plan to effectively detect, respond to, and recover from cybersecurity incidents, including data breaches and unauthorized access.
  • Conduct tabletop exercises and simulations to test the organization's incident response capabilities and readiness.

Vendor Risk Management

  • Assess and manage cybersecurity risks associated with third-party vendors and service providers, including those that handle sensitive financial data on behalf of the organization.
  • Develop vendor risk management programs, policies, and procedures to ensure that vendors meet cybersecurity requirements and adhere to SEC regulations.

Regulatory Compliance and Support

  • Assist with regulatory examinations and inquiries related to cybersecurity compliance by preparing documentation, responding to inquiries, and facilitating communication with regulatory authorities.
  • Keep abreast of changes in SEC regulations and guidance and provide updates and guidance to ensure ongoing compliance.


Partner with Apex Systems so your business is prepared to not only comply with the SEC’s cybersecurity ruling, but also to navigate the complex regulatory landscape, strengthen your cybersecurity posture, and mitigate the risk of regulatory non-compliance and associated penalties.
 

Related Insights: Cybersecurity
By AMIEL DE GUZMAN
Solutions Director
You May Also Like
Multiple devices secure with cybersecurity lock image.
Enhancing Security Program Maturity
Case Study Cybersecurity
a man sitting at a computer
Security Operations and Incident Response Managed Service​
Case Study Cybersecurity
hands holding a cell phone in front of a laptop with virtual banking icons
Mobile DevSecOps Platform
Case Study Product and Application Development