How New SEC Rules Can Benefit Cybersecurity Teams

Securities and Exchange Commission rules elevate cybersecurity to a critical strategic concern and compel businesses to prioritize cyber resilience.

Haywood Marsh, General Manager, NAVEX IRM & NetClaim

September 7, 2023

4 Min Read
Red arrow jumping over obstacles
Source: Olivier Le Moal via Alamy Stock Photo

The recent adoption of cybersecurity disclosure rules by the Securities and Exchange Commission (SEC) ushers in a transformative era for public companies. Under the updated regulations, the latest revision to Form 8-K emphasizes the importance of collaboration between a company's internal and external stakeholders. This amendment requires the prompt disclosure of "material cybersecurity incidents" through Form 8-K submissions within four days of the company's determination that the incident is indeed material. The disclosure should encompass a comprehensive overview of the incident's key details, including its nature, extent, and timeline.

Special attention should be given to articulating the ramifications of the occurrence, both actual and reasonably foreseeable, including its potential financial implications. This strategic shift in an organization's disclosure requirements underscores the value of proactive governance and a well-structured mitigation plan that aligns seamlessly with the newly established disclosure guidelines.

Establishing a Solid Governance Structure: The Foundation of Cybersecurity Strategy

As organizations grapple with the recent SEC ruling, they will naturally focus internally on their existing cybersecurity strategies. Yet, this moment offers an opportunity for frontline professionals to share the company's current robust governance frameworks and help top executives and the board assess current methodologies and shape future cybersecurity protocols. Because solid cyber governance enhances trust among internal stakeholders, customers, and partners by demonstrating a capacity to recognize and handle cyber-risks, it should be considered a program cornerstone.

Elevating Cybersecurity to Strategic Importance

In a world of constantly shifting cyber threats, the presence of experienced cybersecurity experts on corporate boards becomes indispensable. These experts provide valuable insights, helping executives make wise choices and advocating for more resources to strengthen defense mechanisms. By affording cybersecurity the same strategic importance as financial well-being, organizations can significantly enhance their resilience against cyber threats.

Enlisting seasoned cybersecurity experts for leadership positions can deliver a comprehensive perspective of cyber threats and their potential repercussions on the organization. Their expertise empowers executives to make well-informed judgments, harmonizing cybersecurity priorities with overarching business objectives. This proactive approach enables organizations to simultaneously adopt a resilient cybersecurity process that meets business objectives and can withstand the constantly evolving threat landscape. While the SEC rules stop short of requiring cybersecurity expertise on the board of directors, it was under close consideration given the critical role these defenses play in ensuring business resilience and continuity.

Maintaining Transparency and Timely Incident Communication

The new SEC rules elevate the importance for organizations to reveal cybersecurity incidents. Clear and timely communication about these incidents is essential for building trust and collaboration among frontline employees, executives, board members, regulators, and the public. Assuming the responsibility of being accountable enables organizations to learn from one another's circumstances and unite around a common goal of robust defense against cyber dangers.

Transparency is now the main expectation in the SEC's cybersecurity rules. Organizations should recognize that no entity is exempt from cyber threats, underscoring the importance of timely communication when incidents occur. By adopting a transparent disclosure policy, organizations can cultivate confidence among stakeholders and foster a collaborative environment that bolsters the resilience of an entire industry. This level of transparency also encourages everyone in the organization to participate, making employee efforts like cyber training more effective and helping to create a more cybersecurity-aware culture.

Empowering Executives in the Cybersecurity Battlefield

Effective cybersecurity requires executives and the board to view it as a paramount strategic concern. It is imperative that frontline professionals are not left to navigate the battlefield alone, engaging in a futile game of cyber whack-a-mole. So, what's the solution? A company must identify an executive who understands the importance of cybersecurity and can explain its strategic value to the organization's primary decision-makers. Companies that seize this opportunity gain a competitive edge, ensuring their resilience in an ever-evolving digital landscape.

Transforming Cybersecurity Into a Strategic Priority

Many cybersecurity teams have worked long and hard to get the ear of the business and build knowledge about their programs' strategic value; the SEC's new cybersecurity rules provide teams with the roadmap to achieve this goal. So, instead of perceiving the new SEC rules as a cumbersome necessity, companies should see them as an opportunity to adopt a new way of thinking, elevating cybersecurity to a critical strategic concern within the C-suite and boardroom. The SEC's focus on managing cybersecurity risk acts as a clarion call, compelling businesses to give precedence to the security of their operations and stakeholders in this critical digital era and gain a deeper understanding of how these teams protect the business in a material way.

Company leaders must advance the discussion around cyber threats and consider cybersecurity a crucial strategic factor across the business. Through adopting a solid governance structure, open and clear communication, forward-thinking oversight, and leveraging the skills of cybersecurity experts, companies can not only adhere to mandates but also forge a secure and prosperous path toward cyber resilience.

About the Author

Haywood Marsh

General Manager, NAVEX IRM & NetClaim

Haywood Marsh leads the NAVEX IRM and NetClaim business units, where he brings experience in strategic planning, sales, marketing, product, customer success and operations to his role. Prior to NAVEX, Haywood led marketing, strategic/product planning, and an inside sales team for a division of Danaher. He previously served in the Pentagon as a military strategy consultant and team lead for Booz Allen Hamilton, and ran a live military intelligence mission while serving as a soldier in the US Army, among other roles. Haywood earned an MBA from The Kellogg School of Management at Northwestern University, and a degree in international business from Virginia Tech.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights